Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Rcqcps3y45.exe

Overview

General Information

Sample name:Rcqcps3y45.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:2e83048c7ed1193f09ae8d293b42c105662828f2ab56a2fa1f81379ee250fc46
Analysis ID:1429249
MD5:4e39dcfb9913e475f04927e71f38733a
SHA1:5618cdd20144cf44ac0719bf917aac2ff882e41c
SHA256:2e83048c7ed1193f09ae8d293b42c105662828f2ab56a2fa1f81379ee250fc46
Infos:

Detection

LockBit ransomware
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found ransom note / readme
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected LockBit ransomware
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Deletes itself after installation
Hides threads from debuggers
Machine Learning detection for sample
Writes many files with high entropy
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Enables security privileges
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • Rcqcps3y45.exe (PID: 5800 cmdline: "C:\Users\user\Desktop\Rcqcps3y45.exe" MD5: 4E39DCFB9913E475F04927E71F38733A)
    • CBE8.tmp (PID: 3720 cmdline: "C:\ProgramData\CBE8.tmp" MD5: 294E9F64CB1642DD89229FFF0592856B)
      • cmd.exe (PID: 1852 cmdline: "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CBE8.tmp >> NUL MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Rcqcps3y45.exeJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
    Rcqcps3y45.exeWindows_Ransomware_Lockbit_369e1e94unknownunknown
    • 0x1861d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00
    • 0x4bc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
      00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmpWindows_Ransomware_Lockbit_369e1e94unknownunknown
      • 0x1841d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00
      • 0xbc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
      00000000.00000000.2004558092.0000000000671000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
        00000000.00000000.2004558092.0000000000671000.00000020.00000001.01000000.00000003.sdmpWindows_Ransomware_Lockbit_369e1e94unknownunknown
        • 0x1841d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00
        • 0xbc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
        SourceRuleDescriptionAuthorStrings
        0.2.Rcqcps3y45.exe.670000.0.unpackJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
          0.2.Rcqcps3y45.exe.670000.0.unpackWindows_Ransomware_Lockbit_369e1e94unknownunknown
          • 0x1861d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00
          • 0x4bc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
          0.0.Rcqcps3y45.exe.670000.0.unpackJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
            0.0.Rcqcps3y45.exe.670000.0.unpackWindows_Ransomware_Lockbit_369e1e94unknownunknown
            • 0x1861d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00
            • 0x4bc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
            No Sigma rule has matched
            No Snort rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: Rcqcps3y45.exeAvira: detected
            Source: C:\ProgramData\CBE8.tmpAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\ProgramData\CBE8.tmpReversingLabs: Detection: 83%
            Source: C:\ProgramData\CBE8.tmpVirustotal: Detection: 82%Perma Link
            Source: Rcqcps3y45.exeReversingLabs: Detection: 86%
            Source: Rcqcps3y45.exeVirustotal: Detection: 90%Perma Link
            Source: Rcqcps3y45.exeJoe Sandbox ML: detected
            Source: Rcqcps3y45.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeFile created: C:\tnif8b1Sa.README.txtJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeFile created: C:\$WinREAgent\tnif8b1Sa.README.txtJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeFile created: C:\$WinREAgent\Scratch\tnif8b1Sa.README.txtJump to behavior
            Source: Rcqcps3y45.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_00675C24 FindFirstFileW,FindClose,FindNextFileW,FindClose,0_2_00675C24
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_006774BC FindFirstFileExW,FindNextFileW,0_2_006774BC
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_0067A094 FindFirstFileExW,FindClose,0_2_0067A094
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_00677590 FindFirstFileExW,FindClose,0_2_00677590
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_0067766C FindFirstFileExW,GetFileAttributesW,FindNextFileW,0_2_0067766C
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_0067F308 GetFileAttributesW,SetThreadPriority,FindFirstFileExW,FindNextFileW,FindClose,0_2_0067F308
            Source: C:\ProgramData\CBE8.tmpCode function: 2_2_0040227C FindFirstFileExW,2_2_0040227C
            Source: C:\ProgramData\CBE8.tmpCode function: 2_2_0040152C FindFirstFileExW,FindClose,FindNextFileW,FindClose,2_2_0040152C
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_00677468 GetLogicalDriveStringsW,GetDriveTypeW,0_2_00677468
            Source: tnif8b1Sa.README.txt.0.dr, tnif8b1Sa.README.txt1.0.dr, tnif8b1Sa.README.txt0.0.drString found in binary or memory: https://getsession.org/;

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Source: C:\tnif8b1Sa.README.txtDropped file: go to https://getsession.org/; download & install; run, click conversations, send new message to this id 05c5dbb3e0f6c173dd4ca479587dbeccc1365998ff9042581cd294566645ec7912; mention this code FORMOSA in your initial message; then wait for our response; we have exfiltrated all your valuable data; we are going to publish it on the dark web pretty soonJump to dropped file
            Source: Yara matchFile source: Rcqcps3y45.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.Rcqcps3y45.exe.670000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.Rcqcps3y45.exe.670000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.2004558092.0000000000671000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\Rcqcps3y45.exe entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\AAAAAAAAAAAAAA (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\BBBBBBBBBBBBBB (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\CCCCCCCCCCCCCC (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\DDDDDDDDDDDDDD (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\EEEEEEEEEEEEEE (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\FFFFFFFFFFFFFF (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\GGGGGGGGGGGGGG (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\HHHHHHHHHHHHHH (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\IIIIIIIIIIIIII (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\JJJJJJJJJJJJJJ (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\KKKKKKKKKKKKKK (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\LLLLLLLLLLLLLL (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\MMMMMMMMMMMMMM (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\NNNNNNNNNNNNNN (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\OOOOOOOOOOOOOO (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\PPPPPPPPPPPPPP (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\QQQQQQQQQQQQQQ (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\RRRRRRRRRRRRRR (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\SSSSSSSSSSSSSS (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\TTTTTTTTTTTTTT (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\UUUUUUUUUUUUUU (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\VVVVVVVVVVVVVV (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\WWWWWWWWWWWWWW (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\XXXXXXXXXXXXXX (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\YYYYYYYYYYYYYY (copy) entropy: 7.99707062Jump to dropped file
            Source: C:\ProgramData\CBE8.tmpFile created: C:\Users\user\Desktop\ZZZZZZZZZZZZZZ (copy) entropy: 7.99707062Jump to dropped file

            System Summary

            barindex
            Source: Rcqcps3y45.exe, type: SAMPLEMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
            Source: 0.2.Rcqcps3y45.exe.670000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
            Source: 0.0.Rcqcps3y45.exe.670000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
            Source: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
            Source: 00000000.00000000.2004558092.0000000000671000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_0067DC60 NtTerminateProcess,0_2_0067DC60
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_0067B470 NtProtectVirtualMemory,0_2_0067B470
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_0067B444 NtSetInformationThread,0_2_0067B444
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_00687034 KiUserCallbackDispatcher,CreateThread,CreateThread,CreateThread,CreateThread,NtTerminateThread,CreateThread,0_2_00687034
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_006804B4 GetTempFileNameW,CreateFileW,WriteFile,CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtDuplicateObject,CreateNamedPipeW,ResumeThread,ConnectNamedPipe,0_2_006804B4
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_00679880 NtClose,0_2_00679880
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_0067E1E8 CreateThread,NtClose,0_2_0067E1E8
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_006791C8 RegCreateKeyExW,RegEnumKeyW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,OpenEventLogW,ClearEventLogW,CloseEventLog,NtClose,RegCreateKeyExW,RegEnumKeyW,OpenEventLogW,ClearEventLogW,0_2_006791C8
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_00676668 CreateFileW,NtAllocateVirtualMemory,WriteFile,SetFilePointerEx,NtFreeVirtualMemory,NtClose,DeleteFileW,0_2_00676668
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_0067B674 NtQueryInformationToken,0_2_0067B674
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_0067E270 NtClose,0_2_0067E270
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_00677E58 NtQuerySystemInformation,Sleep,0_2_00677E58
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_00678F68 RtlAdjustPrivilege,NtSetInformationThread,0_2_00678F68
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_0067B734 NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess,0_2_0067B734
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_00680BE4 CreateThread,NtClose,0_2_00680BE4
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_0067B3C0 NtSetInformationThread,NtClose,0_2_0067B3C0
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_006797D8 NtQuerySystemInformation,0_2_006797D8
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_0067982A NtQuerySystemInformation,0_2_0067982A
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_00679811 NtQuerySystemInformation,0_2_00679811
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_00677EA3 NtQuerySystemInformation,Sleep,0_2_00677EA3
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_00677E8A NtQuerySystemInformation,Sleep,0_2_00677E8A
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_00678F66 RtlAdjustPrivilege,NtSetInformationThread,0_2_00678F66
            Source: C:\ProgramData\CBE8.tmpCode function: 2_2_00402760 CreateFileW,ReadFile,NtClose,2_2_00402760
            Source: C:\ProgramData\CBE8.tmpCode function: 2_2_0040286C NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess,2_2_0040286C
            Source: C:\ProgramData\CBE8.tmpCode function: 2_2_00402F18 CreateFileW,NtAllocateVirtualMemory,WriteFile,SetFilePointerEx,SetFilePointerEx,NtFreeVirtualMemory,NtClose,DeleteFileW,2_2_00402F18
            Source: C:\ProgramData\CBE8.tmpCode function: 2_2_00401DC2 NtProtectVirtualMemory,2_2_00401DC2
            Source: C:\ProgramData\CBE8.tmpCode function: 2_2_00401D94 NtSetInformationThread,2_2_00401D94
            Source: C:\ProgramData\CBE8.tmpCode function: 2_2_004016B4 NtAllocateVirtualMemory,NtAllocateVirtualMemory,2_2_004016B4
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_0067A68C: GetVolumeNameForVolumeMountPointW,FindFirstVolumeW,GetVolumePathNamesForVolumeNameW,GetDriveTypeW,CreateFileW,DeviceIoControl,0_2_0067A68C
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_006720AC0_2_006720AC
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_006780B80_2_006780B8
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_00674D030_2_00674D03
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_00674D080_2_00674D08
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_006752180_2_00675218
            Source: Joe Sandbox ViewDropped File: C:\ProgramData\CBE8.tmp 917E115CC403E29B4388E0D175CBFAC3E7E40CA1742299FBDB353847DB2DE7C2
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeProcess token adjusted: SecurityJump to behavior
            Source: Rcqcps3y45.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: Rcqcps3y45.exe, type: SAMPLEMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
            Source: 0.2.Rcqcps3y45.exe.670000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
            Source: 0.0.Rcqcps3y45.exe.670000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
            Source: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
            Source: 00000000.00000000.2004558092.0000000000671000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
            Source: CBE8.tmp.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.rans.evad.winEXE@6/141@0/0
            Source: C:\ProgramData\CBE8.tmpMutant created: \Sessions\1\BaseNamedObjects\Global\{649F4E29-16CB-DD42-8922-9FFF0592856B}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1372:120:WilError_03
            Source: C:\ProgramData\CBE8.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Rcqcps3y45.exeReversingLabs: Detection: 86%
            Source: Rcqcps3y45.exeVirustotal: Detection: 90%
            Source: unknownProcess created: C:\Users\user\Desktop\Rcqcps3y45.exe "C:\Users\user\Desktop\Rcqcps3y45.exe"
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeProcess created: C:\ProgramData\CBE8.tmp "C:\ProgramData\CBE8.tmp"
            Source: C:\ProgramData\CBE8.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CBE8.tmp >> NUL
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeProcess created: C:\ProgramData\CBE8.tmp "C:\ProgramData\CBE8.tmp"Jump to behavior
            Source: C:\ProgramData\CBE8.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CBE8.tmp >> NULJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: activeds.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: adsldpc.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: gpedit.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: dssec.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: dsuiext.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: dsrole.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: ntdsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: authz.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: adsldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeSection loaded: wldp.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: apphelp.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: ncrypt.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: ntasn1.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: windows.storage.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: wldp.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: uxtheme.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: propsys.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: profapi.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: edputil.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: urlmon.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: iertutil.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: srvcli.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: netutils.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: sspicli.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: appresolver.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: bcp47langs.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: slc.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: userenv.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: sppc.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\ProgramData\CBE8.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB8555CC-9128-11D1-AD9B-00C04FD8FDFF}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeFile written: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.iniJump to behavior
            Source: Rcqcps3y45.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Rcqcps3y45.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Rcqcps3y45.exeStatic PE information: real checksum: 0x2ddc6 should be: 0x2c0ac
            Source: CBE8.tmp.0.drStatic PE information: real checksum: 0x8fd0 should be: 0x4f26
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_0067356B push 0000006Ah; retf 0_2_00673644
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_006761ED push esp; retf 0_2_006761F6
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_006735D5 push 0000006Ah; retf 0_2_00673644
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_006735D3 push 0000006Ah; retf 0_2_00673644
            Source: CBE8.tmp.0.drStatic PE information: section name: .text entropy: 7.985216639497568
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeFile created: C:\ProgramData\CBE8.tmpJump to dropped file
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeFile created: C:\ProgramData\CBE8.tmpJump to dropped file
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeFile created: C:\tnif8b1Sa.README.txtJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeFile created: C:\$WinREAgent\tnif8b1Sa.README.txtJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeFile created: C:\$WinREAgent\Scratch\tnif8b1Sa.README.txtJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Source: C:\ProgramData\CBE8.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CBE8.tmp >> NUL
            Source: C:\ProgramData\CBE8.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CBE8.tmp >> NULJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_006791C8 RegCreateKeyExW,RegEnumKeyW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,OpenEventLogW,ClearEventLogW,CloseEventLog,NtClose,RegCreateKeyExW,RegEnumKeyW,OpenEventLogW,ClearEventLogW,0_2_006791C8
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\ProgramData\CBE8.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\ProgramData\CBE8.tmpProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\CBE8.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\ProgramData\CBE8.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\ProgramData\CBE8.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\ProgramData\CBE8.tmpProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\CBE8.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\ProgramData\CBE8.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\ProgramData\CBE8.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\ProgramData\CBE8.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\ProgramData\CBE8.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\ProgramData\CBE8.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\ProgramData\CBE8.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\ProgramData\CBE8.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_006710BC 0_2_006710BC
            Source: C:\ProgramData\CBE8.tmpCode function: 2_2_00401E28 2_2_00401E28
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_006710BC rdtsc 0_2_006710BC
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_00675C24 FindFirstFileW,FindClose,FindNextFileW,FindClose,0_2_00675C24
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_006774BC FindFirstFileExW,FindNextFileW,0_2_006774BC
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_0067A094 FindFirstFileExW,FindClose,0_2_0067A094
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_00677590 FindFirstFileExW,FindClose,0_2_00677590
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_0067766C FindFirstFileExW,GetFileAttributesW,FindNextFileW,0_2_0067766C
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_0067F308 GetFileAttributesW,SetThreadPriority,FindFirstFileExW,FindNextFileW,FindClose,0_2_0067F308
            Source: C:\ProgramData\CBE8.tmpCode function: 2_2_0040227C FindFirstFileExW,2_2_0040227C
            Source: C:\ProgramData\CBE8.tmpCode function: 2_2_0040152C FindFirstFileExW,FindClose,FindNextFileW,FindClose,2_2_0040152C
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_00677468 GetLogicalDriveStringsW,GetDriveTypeW,0_2_00677468
            Source: CBE8.tmp, 00000002.00000002.2073822458.00000000006B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: od_VMware_SAD00#4&224f42L$l
            Source: Rcqcps3y45.exe, 00000000.00000003.2032910465.00000000015B7000.00000004.00000020.00020000.00000000.sdmp, Rcqcps3y45.exe, 00000000.00000003.2033316162.00000000015B9000.00000004.00000020.00020000.00000000.sdmp, Rcqcps3y45.exe, 00000000.00000003.2032839207.00000000015B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\ProgramData\CBE8.tmpThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_006710BC rdtsc 0_2_006710BC
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_00675A20 LdrLoadDll,0_2_00675A20
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeProcess token adjusted: DebugJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeMemory written: C:\ProgramData\CBE8.tmp base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeProcess created: C:\ProgramData\CBE8.tmp "C:\ProgramData\CBE8.tmp"Jump to behavior
            Source: C:\ProgramData\CBE8.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CBE8.tmp >> NULJump to behavior
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_006710BC cpuid 0_2_006710BC
            Source: C:\ProgramData\CBE8.tmpCode function: EntryPoint,ExitProcess,GetModuleHandleW,GetCommandLineW,GetModuleHandleA,GetCommandLineW,GetLocaleInfoW,GetLastError,FreeLibrary,FreeLibrary,GetProcAddress,CreateWindowExW,DefWindowProcW,GetWindowTextW,LoadMenuW,LoadMenuW,DefWindowProcW,SetTextColor,GetTextCharset,TextOutW,SetTextColor,GetTextColor,CreateFontW,GetTextColor,CreateDIBitmap,SelectObject,GetTextColor,CreateFontW,2_2_00403983
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeCode function: 0_2_006804B4 GetTempFileNameW,CreateFileW,WriteFile,CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtDuplicateObject,CreateNamedPipeW,ResumeThread,ConnectNamedPipe,0_2_006804B4
            Source: C:\Users\user\Desktop\Rcqcps3y45.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading
            112
            Process Injection
            1
            Virtualization/Sandbox Evasion
            OS Credential Dumping311
            Security Software Discovery
            Remote Services1
            Archive Collected Data
            1
            Encrypted Channel
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading
            112
            Process Injection
            LSASS Memory1
            Virtualization/Sandbox Evasion
            Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
            Obfuscated Files or Information
            Security Account Manager1
            Process Discovery
            SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
            Software Packing
            NTDS4
            File and Directory Discovery
            Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Indicator Removal
            LSA Secrets122
            System Information Discovery
            SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading
            Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            File Deletion
            DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            Rcqcps3y45.exe87%ReversingLabsWin32.Ransomware.Lockbit
            Rcqcps3y45.exe90%VirustotalBrowse
            Rcqcps3y45.exe100%AviraBDS/ZeroAccess.Gen7
            Rcqcps3y45.exe100%Joe Sandbox ML
            SourceDetectionScannerLabelLink
            C:\ProgramData\CBE8.tmp100%AviraTR/Crypt.ZPACK.Gen
            C:\ProgramData\CBE8.tmp100%Joe Sandbox ML
            C:\ProgramData\CBE8.tmp83%ReversingLabsWin32.Trojan.Malgent
            C:\ProgramData\CBE8.tmp83%VirustotalBrowse
            No Antivirus matches
            SourceDetectionScannerLabelLink
            fp2e7a.wpc.phicdn.net0%VirustotalBrowse
            SourceDetectionScannerLabelLink
            https://getsession.org/;0%VirustotalBrowse
            NameIPActiveMaliciousAntivirus DetectionReputation
            fp2e7a.wpc.phicdn.net
            192.229.211.108
            truefalseunknown
            NameSourceMaliciousAntivirus DetectionReputation
            https://getsession.org/;tnif8b1Sa.README.txt.0.dr, tnif8b1Sa.README.txt1.0.dr, tnif8b1Sa.README.txt0.0.drtrueunknown
            No contacted IP infos
            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1429249
            Start date and time:2024-04-21 14:31:56 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 3m 5s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:7
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:Rcqcps3y45.exe
            (renamed file extension from none to exe, renamed because original name is a hash value)
            Original Sample Name:2e83048c7ed1193f09ae8d293b42c105662828f2ab56a2fa1f81379ee250fc46
            Detection:MAL
            Classification:mal100.rans.evad.winEXE@6/141@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 71
            • Number of non-executed functions: 6
            Cookbook Comments:
            • Stop behavior analysis, all processes terminated
            • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
            • Excluded IPs from analysis (whitelisted): 20.114.59.183, 72.21.81.240
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, wu.ec.azureedge.net, ocsp.edge.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, glb.sls.prod.dcat.dsp.trafficmanager.net
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtCreateKey calls found.
            • Report size getting too big, too many NtEnumerateKey calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            No simulations
            No context
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            fp2e7a.wpc.phicdn.netSecuriteInfo.com.Win64.Malware-gen.18747.19997.exeGet hashmaliciousUnknownBrowse
            • 192.229.211.108
            https://www.sigtn.com/utils/emt.cfm?client_id=9195153&campaign_id=73466&link=aHR0cHM6Ly9saW5rLm1haWwuYmVlaGlpdi5jb20vbHMvY2xpY2s/dXBuPXUwMDEucklvcWRaR1R1SGJzNzQ0S21jWTQzbm9GN25FNXlXdTZFcUlEQ1JQVW5LVlRsVDF5N0p0RTVORGVVSmxOU254Uk82V2lWVzB6akF4aVNnRXQ4S0dzZUdDb3N4OE9CV0tIQ1VyMmlaRXQ0LTJCM2EtMkZuWXhLOHNYNW1IZ0ZPZFd1VHpnUmNyMHdMYk52c0NadXktMkZiSXRoVDI4bi0yRjdCUy0yQmVINGxDRVExVTQxQU5xSS0zRFhBa0FfdWpTUjJaZ1VvcFZ3R0Y1eWNMcm5nS0Y1andZVnZoMHVzbGExV2Z5ZUs2QXJvYzFDOXFaY3NKZHlBVHNhVnFnZmxkNjlSOE1FQ3J6dHdtVUw5QkliUXRiM1VjUEwxanplbGNyNG1jZGFhdlZNZFE0ejA0ZHFqRC0yRkR4RVlVV1lLM3BjNTBsREpndVd5Z0NZMEZ2LTJGdG9kUkpjSzNjRlYwcDdMYS0yQlh1NjRveEtqVkpFUkV3WGJSekN0dTlZazJBSmgwQVVNeUxiOTVXWlBiTmxOQjlmTXRhbm41aDY2eDByMm5nR2k5QmJkLTJCdWd1Ync2Z092blJheXlKLTJGYXB3eHBSSHpxZHZER21pREhpR09kemxvQVRJQWkxMWR5ZWhpazY3NDRzQ2E3dzl0MWZqU2JvTWpXd1dvdXlVaDJPd0VyLTJCOHJDZTB1VjF6clJDTi0yQjh6Z2R4Y1JibkZ1a3JtNGVJbU5WQUJnSFMtMkZ1S2RrUDdrZkUxUm9PWlVGdWU3bzZkLTJGY3FpMUx2VXVpbW9VbmxzMjRseXRVQzNQdUpiOVlDZ0Zoc29LRlZOMUxvZXloOFFGTERUaEN4VjE5UC0yRmxCWTRpZURUI2V4cGVkaXRpbmdAYmVpbi5jb20=Get hashmaliciousUnknownBrowse
            • 192.229.211.108
            https://modemultiple.pages.dev/Get hashmaliciousUnknownBrowse
            • 192.229.211.108
            https://sekulstrip.com/Get hashmaliciousUnknownBrowse
            • 192.229.211.108
            https://private.document-projeect.workers.dev/Get hashmaliciousHTMLPhisherBrowse
            • 192.229.211.108
            https://document.propoosale-team.workers.dev/Get hashmaliciousHTMLPhisherBrowse
            • 192.229.211.108
            https://new1256.z1.web.core.windows.net/Get hashmaliciousUnknownBrowse
            • 192.229.211.108
            https://ibareed.com/Get hashmaliciousUnknownBrowse
            • 192.229.211.108
            https://appclecb.com/login.phpGet hashmaliciousUnknownBrowse
            • 192.229.211.108
            https://appcleca.com/login.phpGet hashmaliciousUnknownBrowse
            • 192.229.211.108
            No context
            No context
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            C:\ProgramData\CBE8.tmpLBB.exeGet hashmaliciousLockBit ransomwareBrowse
              lockbit_unpacked.exeGet hashmaliciousLockBit ransomwareBrowse
                maXk5kqpyK.exeGet hashmaliciousLockBit ransomwareBrowse
                  maXk5kqpyK.exeGet hashmaliciousLockBit ransomwareBrowse
                    abc.exeGet hashmaliciousLockBit ransomwareBrowse
                      55Seo_SeungJoon44.docxGet hashmaliciousLockBit ransomwareBrowse
                        55VpD64eOy.exeGet hashmaliciousLockBit ransomwareBrowse
                          0rzZX3x868.docxGet hashmaliciousLockBit ransomwareBrowse
                            cks.exeGet hashmaliciousLockBit ransomwareBrowse
                              3YqemSxKv7.exeGet hashmaliciousLockBit ransomwareBrowse
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Reputation:low
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Reputation:low
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Reputation:low
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Reputation:low
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Reputation:low
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Reputation:low
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Reputation:low
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Reputation:low
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Reputation:low
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Reputation:low
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Reputation:low
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Reputation:low
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.590570956923321
                                Encrypted:false
                                SSDEEP:3:Xnt6MM64IYrk+9Mh/URpofeoXNq+5/fYz3FDr8n:Xt6Mlqrg8RKffzlAzF8n
                                MD5:B203F02A5BAD10923C69A729F6E3C588
                                SHA1:132B2AE065E8C9DDA0146E18B18FC654591FC929
                                SHA-256:0E57BB0B1732B795A941E63ABB810582AC8BF7B5D4DB0AC7C0BB4CDF7DB18E70
                                SHA-512:A31CA9FDDB6C5C2E2B7EC83BE5E27A7C36BC1D1B352CBD6FBA1ACDB9293DAE0989AA2A642B1FAF58E629C2A33E079F2C126C9B3B26B97B8307EDFD5485EDADED
                                Malicious:false
                                Preview:....w.AU.ii....2*)..t....^M....c.9RD|.KaG6.sJ.....i.....@^...T+...ZHwN...J...=:...$......E...3p.I.e......n.|....*.n.$..._...Y
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.534407294149392
                                Encrypted:false
                                SSDEEP:3:nbscLDt2bqE+kTnMSxr6uDUj9FfasfULa0fj3oxHR/NUaglR90C:bh2rfnMUr6aY0sfUL/fbmJ2aMR95
                                MD5:58A7AA1D88D24AF32A8D3994989C42DA
                                SHA1:B62AB7506E7AF9CA5855C4CAD5EACC63A854B053
                                SHA-256:AEC2E15CCA0A504FB1176425AECF9C6CC569902251D5A62C01A20DCA5DC189D9
                                SHA-512:1DF9BDB3786100B9920AC2A00BC232BDAF8C98B017893F024EE84D694BC3080BE3CE07930752F2A3D2042E2B0931A5BB1E805293731CB7516929BA70F0B895A1
                                Malicious:false
                                Preview:..q./....q.....Qq.f.S..![..".B../............WnoF..%Z`/...XP;nuJT./!.....KA.....Qm".y.,.}.;.S...J...I..g...ySo?..P...|L.
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.569215239852285
                                Encrypted:false
                                SSDEEP:3:bAT69rpsFQzR8a1bUd/n5koXKZrgWJdpIqtCOKqW:bo69rpsFW8UEBkfrgWcrqW
                                MD5:EF41D7A676EC7B21B5B47C64B804BC24
                                SHA1:9FB722062B2E7DF43A04502E33FAC9C60BB3CF16
                                SHA-256:AF34AF0BF82B78FB1061A5168F19F38524845446FDFBF80BEE2C32EC8D3E2783
                                SHA-512:6029C28F97CAD743F2269A404AC705BBA1891DD084EB958A07B02BB609A8F63FCCABACC0F441B161EF849540C1C69AAF073FC22A305FA6FF67C881A9B2161503
                                Malicious:false
                                Preview:T.K.%.b..pd....xZk.nJ."..(Q.[!.....?..h..~.q..T{.HY..x...%.J.g.,.......A<..?... .#.......v./..m......jd&{1..g.....s
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):129
                                Entropy (8bit):6.646734619697244
                                Encrypted:false
                                SSDEEP:3:JwrciTmxChnP0yr035wmZc85RIchpECsbeRuwqkI7zn:JiEin03um1oQ5sb1wqkIPn
                                MD5:8EE69086AD271014C6804D3132D3AACD
                                SHA1:02FF9E6FE8F4C99AA6A45C3BCB936A1DE1188905
                                SHA-256:D23D2D8D6269DB105A09674A6E9A77902E46A37A2789D8EF30451FC911DA2D6B
                                SHA-512:492B764B21372293504DC23AEEE6A81365D4DC83F47D8F262007842B373C78387364865A0DA98DBDB4BD4C515D474D796B904ADD4C7BABE7CFFEFECE45FD86D6
                                Malicious:false
                                Preview:3....j....Y...#.7.V6.Ei...#...o..{......r#...R.....x`W.q..]..9.....3..zk!R.}...w........ls.DL.').f......?.f.d.R.3.K....$....xT
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:ASCII text, with very long lines (350), with no line terminators
                                Category:dropped
                                Size (bytes):350
                                Entropy (8bit):4.825456428240005
                                Encrypted:false
                                SSDEEP:6:lSlYCVEJ9r7qQFXebAMvyS/FRnptgGUJtLOx/AlxcLV6sBqXzzO3nMOibGRziLV6:jCVupXXeymRDEOpgcLV0XzzO8OtRoU
                                MD5:C3F1F1406B76280A20BEAB76871189BC
                                SHA1:B065841B3F5331712E6672ED22EDC023393E667D
                                SHA-256:85B163BE93481E99E3BB328D1A69B200616BDB0AFA297EE5F9EE1AE546BDDA9A
                                SHA-512:F7A64C57B19FAA69D6825F74C175A50AA9DA22E94E673D76429724A7EE5CFCCDFE60F495B040EA2E97D8AB1EE26D898FD6BA7B6161425CCE7D39C39FD57BEB19
                                Malicious:false
                                Preview:go to https://getsession.org/; download & install; run, click conversations, send new message to this id 05c5dbb3e0f6c173dd4ca479587dbeccc1365998ff9042581cd294566645ec7912; mention this code FORMOSA in your initial message; then wait for our response; we have exfiltrated all your valuable data; we are going to publish it on the dark web pretty soon
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:ASCII text, with very long lines (350), with no line terminators
                                Category:dropped
                                Size (bytes):350
                                Entropy (8bit):4.825456428240005
                                Encrypted:false
                                SSDEEP:6:lSlYCVEJ9r7qQFXebAMvyS/FRnptgGUJtLOx/AlxcLV6sBqXzzO3nMOibGRziLV6:jCVupXXeymRDEOpgcLV0XzzO8OtRoU
                                MD5:C3F1F1406B76280A20BEAB76871189BC
                                SHA1:B065841B3F5331712E6672ED22EDC023393E667D
                                SHA-256:85B163BE93481E99E3BB328D1A69B200616BDB0AFA297EE5F9EE1AE546BDDA9A
                                SHA-512:F7A64C57B19FAA69D6825F74C175A50AA9DA22E94E673D76429724A7EE5CFCCDFE60F495B040EA2E97D8AB1EE26D898FD6BA7B6161425CCE7D39C39FD57BEB19
                                Malicious:false
                                Preview:go to https://getsession.org/; download & install; run, click conversations, send new message to this id 05c5dbb3e0f6c173dd4ca479587dbeccc1365998ff9042581cd294566645ec7912; mention this code FORMOSA in your initial message; then wait for our response; we have exfiltrated all your valuable data; we are going to publish it on the dark web pretty soon
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):14336
                                Entropy (8bit):7.4998500975364095
                                Encrypted:false
                                SSDEEP:384:5cFP7VtpK4p+31Mzh79W5vM+ZyUgGq4BtMvAxXCRsi:A7Vf9p+qQ02y5HW6kX
                                MD5:294E9F64CB1642DD89229FFF0592856B
                                SHA1:97B148C27F3DA29BA7B18D6AEE8A0DB9102F47C9
                                SHA-256:917E115CC403E29B4388E0D175CBFAC3E7E40CA1742299FBDB353847DB2DE7C2
                                SHA-512:B87D531890BF1577B9B4AF41DDDB2CDBBFA164CF197BD5987DF3A3075983645A3ACBA443E289B7BFD338422978A104F55298FBFE346872DE0895BDE44ADC89CF
                                Malicious:true
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 83%
                                • Antivirus: Virustotal, Detection: 83%, Browse
                                Joe Sandbox View:
                                • Filename: LBB.exe, Detection: malicious, Browse
                                • Filename: lockbit_unpacked.exe, Detection: malicious, Browse
                                • Filename: maXk5kqpyK.exe, Detection: malicious, Browse
                                • Filename: maXk5kqpyK.exe, Detection: malicious, Browse
                                • Filename: abc.exe, Detection: malicious, Browse
                                • Filename: 55Seo_SeungJoon44.docx, Detection: malicious, Browse
                                • Filename: 55VpD64eOy.exe, Detection: malicious, Browse
                                • Filename: 0rzZX3x868.docx, Detection: malicious, Browse
                                • Filename: cks.exe, Detection: malicious, Browse
                                • Filename: 3YqemSxKv7.exe, Detection: malicious, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....YPb.................,...........9.......@....@..........................p.......................@......................A..P....`...............................@......................`@.......................@..`............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...`....P.......4..............@....rsrc........`.......6..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:modified
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\ProgramData\CBE8.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):148992
                                Entropy (8bit):7.997070620004959
                                Encrypted:true
                                SSDEEP:3072:IWdZi0r+Jg0jTalV47MbWdZi0r+Jg0jTalV47MbWdZR:Isj0/ssj0/ssR
                                MD5:83AD7E5D6B4CE698B4C55EB4225D68C2
                                SHA1:C06A53FFB5D4A274DD1118DA9B9B0B9F48F8967B
                                SHA-256:DDAECE5C6BA6D78FC703531E8E106EA75792B64E8B88FD168D6B06265CF89EBC
                                SHA-512:7C20043EB4BFC3E91D5D74A6700BAAB878A9645156377424DAB50120D38A8863DA8DDC9CED74AB8EB0198EB78B8AEE3A273030E1C4021716A2A85A4D88D83BA2
                                Malicious:true
                                Preview:F...3..@U.OU..Y]vt..jX.T...?..Z..f.70.[..>mE....A~...L.........4.k.....g..=6.E7.d...z....Ht.fcM.G-..H\....S.w..s..!.>....q.]2G..f......`..O.e..VK.L`...@.t..1..q....DE.....K,..k.s...]0.Z.....q.y.J..w.6Dl.(......2..t..RK.....s."W.]P..s[a..B..0D.x Lny...c..6FQ.S...;..4.".l[.e....a..._..(W......Yd.Q.#......\.K7cr..cyqR._c...]...+V.)(.......P.h1.eN...7.gC.]..Y!...x.M..dT......7.......d.uw'.<....)...<...J.M.4.,...@?..;..1%$k...B.i.....c.Sn....{,..u.C@.0.9...pk.N.#.........<..Q.C.O.+.K.z=.X~....M..R....z~".@.k.V....aL..u..(......'.^...7.S...=....7.......h.8...n/".(...............^z.4.....K#7C........A.......COV.i|vG..2<=i....Q.KZ..*S.6*...S/./...(..u..p...W6.....c@.k}..68.t.g\...E..o.(.9.\...}...e....FA.[&....-.D..&. .9.._.y%..Ue..8...'f.._.j...#1....|C.2......\sD*...%.....-6.9.......6u.....J../.?..]xj...8...)Q...Ha..-H.;.Z..jH.<.......^........."..T.e:.%d../...._..~..{....E..I.E...(.HC...L.4.17.L)1.....$P......~......../us.U%....k...H2...
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:ASCII text, with very long lines (350), with no line terminators
                                Category:dropped
                                Size (bytes):350
                                Entropy (8bit):4.825456428240005
                                Encrypted:false
                                SSDEEP:6:lSlYCVEJ9r7qQFXebAMvyS/FRnptgGUJtLOx/AlxcLV6sBqXzzO3nMOibGRziLV6:jCVupXXeymRDEOpgcLV0XzzO8OtRoU
                                MD5:C3F1F1406B76280A20BEAB76871189BC
                                SHA1:B065841B3F5331712E6672ED22EDC023393E667D
                                SHA-256:85B163BE93481E99E3BB328D1A69B200616BDB0AFA297EE5F9EE1AE546BDDA9A
                                SHA-512:F7A64C57B19FAA69D6825F74C175A50AA9DA22E94E673D76429724A7EE5CFCCDFE60F495B040EA2E97D8AB1EE26D898FD6BA7B6161425CCE7D39C39FD57BEB19
                                Malicious:true
                                Preview:go to https://getsession.org/; download & install; run, click conversations, send new message to this id 05c5dbb3e0f6c173dd4ca479587dbeccc1365998ff9042581cd294566645ec7912; mention this code FORMOSA in your initial message; then wait for our response; we have exfiltrated all your valuable data; we are going to publish it on the dark web pretty soon
                                Process:C:\Users\user\Desktop\Rcqcps3y45.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):64
                                Entropy (8bit):3.7334585933443503
                                Encrypted:false
                                SSDEEP:3:8nQtI2Y1An8wKXP+FRR:8QCG8NyRR
                                MD5:2CA35BD7B2061206BE69BC155EBF5A54
                                SHA1:98FCFDE7558D0EEE4663044C254CC267EC737F3C
                                SHA-256:A77955363E5746DA39639FD1E28959B3A43F1D1C73E0F406EECFE85D295C4FE0
                                SHA-512:E442DD1230F5A711EB1587AA921CC21C0DB90D07E96D64DC095567932AB846329A5C78A3EC20E5126D4D4C4417161B9E95DAC03696AFA71DB8102DFB03BD01CC
                                Malicious:false
                                Preview:....5.6.2.2.5.8.....\MAILSLOT\NET\GETDC7C430E20............ ....
                                Process:C:\Windows\SysWOW64\cmd.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):22
                                Entropy (8bit):4.186704345910024
                                Encrypted:false
                                SSDEEP:3:otlbfICv:otBgCv
                                MD5:AA83228236A211E1E34AB7A8F8338992
                                SHA1:B638A51ADF7C28AAE64F87FBD8CD9927AD38982E
                                SHA-256:5C9FAA9017C7133104AFEEBC85B8B7AA24B1624CD0C3CD9BBE08EA65A951583B
                                SHA-512:F8A94265E3F0433BAE7116C6B4F89B4FB0A3FDD7B21F77B04D018BAB21DCDAEF61BDA22D1D43FB86541C970AAF3738AA4F57290B88DA30AAB583559A29E2F13A
                                Malicious:false
                                Preview:C:\PROGRA~3\CBE8.tmp..
                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.195550483461238
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.94%
                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:Rcqcps3y45.exe
                                File size:148'992 bytes
                                MD5:4e39dcfb9913e475f04927e71f38733a
                                SHA1:5618cdd20144cf44ac0719bf917aac2ff882e41c
                                SHA256:2e83048c7ed1193f09ae8d293b42c105662828f2ab56a2fa1f81379ee250fc46
                                SHA512:678581a15c404351c98bacb0b2aa432023e9335536fefda4fe6613d2ba7daada5fa7fbc52b37c9b1c4421c7b66be44f1a5162d45478671018f8120ebbfa483e0
                                SSDEEP:3072:p6glyuxE4GsUPnliByocWepO+cDevjAEyYFEf:p6gDBGpvEByocWe0+oeENY
                                TLSH:DFE37E21F252D073C87718F13736B1B1F39E8D6C19A96807EAE80F99BCA54232F45997
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e..c............................o.............@.......................................@...........@....................
                                Icon Hash:00928e8e8686b000
                                Entrypoint:0x41946f
                                Entrypoint Section:.itext
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Time Stamp:0x631A9665 [Fri Sep 9 01:27:01 2022 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:41fb8cb2943df6de998b35a9d28668e8
                                Instruction
                                nop
                                nop word ptr [eax+eax+00000000h]
                                call 00007F9E74A3D817h
                                nop dword ptr [eax+00h]
                                call 00007F9E74A2ABAAh
                                nop
                                call 00007F9E74A2E197h
                                nop dword ptr [eax+00h]
                                call 00007F9E74A3BC56h
                                nop word ptr [eax+eax+00h]
                                push 00000000h
                                call dword ptr [004255C8h]
                                nop word ptr [eax+eax+00000000h]
                                call 00007F9E74A3D5B6h
                                call 00007F9E74A3D5A5h
                                call 00007F9E74A3D594h
                                call 00007F9E74A3D5A1h
                                call 00007F9E74A3D58Ah
                                call 00007F9E74A3D585h
                                call 00007F9E74A3D586h
                                call 00007F9E74A3D59Fh
                                call 00007F9E74A3D594h
                                call 00007F9E74A3D55Fh
                                call 00007F9E74A3D53Ch
                                call 00007F9E74A3D549h
                                call 00007F9E74A3D538h
                                call 00007F9E74A3D551h
                                call 00007F9E74A3D552h
                                call 00007F9E74A3D53Bh
                                call 00007F9E74A3D52Ah
                                call 00007F9E74A3D50Dh
                                call 00007F9E74A3D508h
                                call 00007F9E74A3D527h
                                call 00007F9E74A3D50Ah
                                call 00007F9E74A3D4F3h
                                call 00007F9E74A3D4FAh
                                call 00007F9E74A3C085h
                                call 00007F9E74A3C08Ch
                                call 00007F9E74A3C069h
                                call 00007F9E74A3C070h
                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x1a2300x50.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x270000xfd0.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x1a1200x1c.rdata
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x1a0000x70.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x17de80x17e00cfbda2c44e51b3b0b00bcbbc767c62a2False0.48375122709424084data6.634079266913224IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .itext0x190000x5460x6006f4cd57381bb5584c0a0755384d25180False0.251953125data2.9337361310958805IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x1a0000x4920x600bd829aa493ecd52fe5bec776d207f206False0.3671875data3.5366359784052652IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x1b0000xadc80xa000adbc33964585d2011ba48c7830a492b1False0.9827392578125SysEx File -7.9857525736586625IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .pdata0x260000x66f0x800f10546add0de74d69cb040a37f575802False0.83740234375data7.0231021508248315IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .reloc0x270000xfd00x10003f87e4c23650dfad0bee7da98889ba94False0.843505859375GLS_BINARY_LSB_FIRST6.738987246879603IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                DLLImport
                                gdi32.dllSetPixel, SetDCBrushColor, SelectPalette, GetTextColor, GetDeviceCaps, CreateSolidBrush
                                USER32.dllDefWindowProcW, CreateMenu, EndDialog, GetDlgItem, GetKeyNameTextW, GetMessageW, GetWindowTextW, IsDlgButtonChecked, LoadImageW, LoadMenuW, DialogBoxParamW
                                KERNEL32.dllSetLastError, LoadLibraryW, GetTickCount, GetLastError, GetCommandLineW, GetCommandLineA, FreeLibrary
                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Apr 21, 2024 14:33:02.502604008 CEST1.1.1.1192.168.2.50xccb7No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                Apr 21, 2024 14:33:02.502604008 CEST1.1.1.1192.168.2.50xccb7No error (0)fp2e7a.wpc.phicdn.net192.229.211.108A (IP address)IN (0x0001)false

                                Click to jump to process

                                Click to jump to process

                                Click to dive into process behavior distribution

                                Click to jump to process

                                Target ID:0
                                Start time:14:32:42
                                Start date:21/04/2024
                                Path:C:\Users\user\Desktop\Rcqcps3y45.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\Rcqcps3y45.exe"
                                Imagebase:0x670000
                                File size:148'992 bytes
                                MD5 hash:4E39DCFB9913E475F04927E71F38733A
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                                • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000000.2004558092.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000000.00000000.2004558092.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                                Reputation:low
                                Has exited:true

                                Target ID:2
                                Start time:14:32:48
                                Start date:21/04/2024
                                Path:C:\ProgramData\CBE8.tmp
                                Wow64 process (32bit):true
                                Commandline:"C:\ProgramData\CBE8.tmp"
                                Imagebase:0x400000
                                File size:14'336 bytes
                                MD5 hash:294E9F64CB1642DD89229FFF0592856B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Antivirus matches:
                                • Detection: 100%, Avira
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 83%, ReversingLabs
                                • Detection: 83%, Virustotal, Browse
                                Reputation:moderate
                                Has exited:true

                                Target ID:3
                                Start time:14:32:49
                                Start date:21/04/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CBE8.tmp >> NUL
                                Imagebase:0x790000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Target ID:4
                                Start time:14:32:49
                                Start date:21/04/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:15.2%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:16.5%
                                  Total number of Nodes:1933
                                  Total number of Limit Nodes:7
                                  execution_graph 11466 683168 11468 68317f 11466->11468 11467 6831ce 11468->11467 11469 682af8 4 API calls 11468->11469 11469->11467 11470 678f66 11471 678f68 RtlAdjustPrivilege 11470->11471 11472 6797d8 4 API calls 11471->11472 11473 678fa0 11472->11473 11474 679880 NtClose 11473->11474 11475 679010 11473->11475 11476 678fae 11474->11476 11477 679035 11475->11477 11479 678ecc 4 API calls 11475->11479 11476->11475 11478 678fb7 NtSetInformationThread 11476->11478 11478->11475 11480 678fcb 11478->11480 11479->11477 11481 678da8 5 API calls 11480->11481 11482 678fe0 11481->11482 11482->11475 11483 679880 NtClose 11482->11483 11484 678fee 11483->11484 11484->11475 11485 678be0 2 API calls 11484->11485 11485->11475 11124 67c064 11125 676de8 RtlAllocateHeap 11124->11125 11126 67c080 11125->11126 11127 67c16b 11126->11127 11128 676844 RtlAllocateHeap 11126->11128 11129 67c179 11127->11129 11131 67686c RtlFreeHeap 11127->11131 11135 67c097 11128->11135 11130 67c187 11129->11130 11132 67686c RtlFreeHeap 11129->11132 11133 67c195 11130->11133 11134 67686c RtlFreeHeap 11130->11134 11131->11129 11132->11130 11134->11133 11135->11127 11136 67686c RtlFreeHeap 11135->11136 11137 67c0c5 11136->11137 11138 676844 RtlAllocateHeap 11137->11138 11139 67c0d5 11138->11139 11139->11127 11140 676ee4 2 API calls 11139->11140 11141 67c0eb 11140->11141 11142 67686c RtlFreeHeap 11141->11142 11143 67c108 11142->11143 11153 67bf94 11143->11153 11146 67c14a 11148 67bf94 2 API calls 11146->11148 11147 67b3c0 2 API calls 11147->11146 11149 67c155 11148->11149 11150 67bf94 2 API calls 11149->11150 11151 67c160 11150->11151 11152 67bf94 2 API calls 11151->11152 11152->11127 11154 67bfb9 11153->11154 11155 676844 RtlAllocateHeap 11154->11155 11156 67c04f 11154->11156 11159 67bfcb 11155->11159 11157 67c05d 11156->11157 11158 67686c RtlFreeHeap 11156->11158 11157->11146 11157->11147 11158->11157 11159->11156 11162 67bed0 11159->11162 11167 67bc38 11159->11167 11163 676934 RtlAllocateHeap 11162->11163 11166 67beec 11163->11166 11164 67bf8a 11164->11159 11165 67686c RtlFreeHeap 11165->11164 11166->11164 11166->11165 11168 67bc60 11167->11168 11169 676844 RtlAllocateHeap 11168->11169 11172 67bc64 11168->11172 11169->11172 11170 67beb8 11170->11159 11171 67686c RtlFreeHeap 11171->11170 11172->11170 11172->11171 9338 68946f 9339 68947e 9338->9339 9346 67639c 9339->9346 9343 68948e 9442 687458 9343->9442 9487 675aec 9346->9487 9349 6763b6 RtlCreateHeap 9350 67654d 9349->9350 9351 6763d1 9349->9351 9397 679990 9350->9397 9352 675aec 3 API calls 9351->9352 9353 6763ed 9352->9353 9353->9350 9495 675da0 9353->9495 9356 675da0 8 API calls 9357 676419 9356->9357 9358 675da0 8 API calls 9357->9358 9359 67642a 9358->9359 9360 675da0 8 API calls 9359->9360 9361 67643b 9360->9361 9362 675da0 8 API calls 9361->9362 9363 67644c 9362->9363 9364 675da0 8 API calls 9363->9364 9365 67645d 9364->9365 9366 675da0 8 API calls 9365->9366 9367 67646e 9366->9367 9368 675da0 8 API calls 9367->9368 9369 67647f 9368->9369 9370 675da0 8 API calls 9369->9370 9371 676490 9370->9371 9372 675da0 8 API calls 9371->9372 9373 6764a1 9372->9373 9374 675da0 8 API calls 9373->9374 9375 6764b2 9374->9375 9376 675da0 8 API calls 9375->9376 9377 6764c3 9376->9377 9378 675da0 8 API calls 9377->9378 9379 6764d4 9378->9379 9380 675da0 8 API calls 9379->9380 9381 6764e5 9380->9381 9382 675da0 8 API calls 9381->9382 9383 6764f6 9382->9383 9384 675da0 8 API calls 9383->9384 9385 676507 9384->9385 9386 675da0 8 API calls 9385->9386 9387 676518 9386->9387 9388 675da0 8 API calls 9387->9388 9389 676529 9388->9389 9390 675da0 8 API calls 9389->9390 9391 67653a 9390->9391 9501 67b444 9391->9501 9393 676541 9504 687738 9393->9504 9398 679995 9397->9398 9551 676f48 9398->9551 9400 67999a 9584 67b4dc CheckTokenMembership 9400->9584 9402 6799d7 9585 676d40 9402->9585 9404 6799e6 9406 6799f4 9404->9406 9588 67bb70 9404->9588 9405 6799b9 9405->9402 9620 67b4fc 9405->9620 9406->9343 9409 679a00 9591 67b708 9409->9591 9418 679a9f 9423 679ade 9418->9423 9428 67b674 NtQueryInformationToken 9418->9428 9419 679a13 9419->9418 9650 67b1ac 9419->9650 9421 679a3c 9421->9419 9633 67ae74 9421->9633 9604 67c3f8 9423->9604 9435 679acc 9428->9435 9434 679a7a 9434->9418 9437 67686c RtlFreeHeap 9434->9437 9435->9423 9671 6831e8 9435->9671 9438 679a89 9437->9438 9439 67686c RtlFreeHeap 9438->9439 9440 679a94 9439->9440 9441 67686c RtlFreeHeap 9440->9441 9441->9418 9443 687482 9442->9443 9444 6874a3 9443->9444 9448 687498 31 API calls 9443->9448 9449 6874b2 9443->9449 9734 679bb0 9444->9734 9450 687631 9449->9450 9451 687624 9449->9451 9453 687646 9450->9453 9454 687637 9450->9454 9802 68205c 9451->9802 9456 68764c 9453->9456 9457 687656 9453->9457 9455 679bb0 14 API calls 9454->9455 9458 68763c 9455->9458 9884 6873ac 9456->9884 9460 68765c 9457->9460 9461 687675 9457->9461 9853 681ef4 9458->9853 9895 686fa0 9460->9895 9464 68767b 9461->9464 9465 687685 9461->9465 9922 68390c 9464->9922 9467 6876d8 9465->9467 9468 68768b 9465->9468 9471 6876de 9467->9471 9472 6876e7 9467->9472 9470 6876ba 9468->9470 9929 686da8 9468->9929 9470->9448 9943 6804b4 9470->9943 9475 686bbc 2 API calls 9471->9475 9975 67a338 9472->9975 9475->9448 9479 68771c 9979 682428 9479->9979 9480 67a338 2 API calls 9482 68770b 9480->9482 9482->9479 9483 687710 9482->9483 9484 679bb0 14 API calls 9483->9484 9485 687715 9484->9485 9486 687034 107 API calls 9485->9486 9486->9448 9488 675afe 9487->9488 9489 675b18 9487->9489 9490 675aec 3 API calls 9488->9490 9491 675aec 3 API calls 9489->9491 9493 675b40 9489->9493 9490->9489 9491->9493 9492 675c0a 9492->9349 9492->9350 9493->9492 9515 675a84 9493->9515 9530 675c24 9495->9530 9497 675dcb 9497->9356 9498 675aec 3 API calls 9499 675ddb RtlAllocateHeap 9498->9499 9500 675db5 9499->9500 9500->9497 9500->9498 9502 67b458 NtSetInformationThread 9501->9502 9502->9393 9505 687754 9504->9505 9545 676844 9505->9545 9507 676548 9510 67b470 9507->9510 9509 687764 9509->9507 9548 67686c 9509->9548 9511 675aec 3 API calls 9510->9511 9512 67b495 9511->9512 9513 67b4bb 9512->9513 9514 67b49e NtProtectVirtualMemory 9512->9514 9513->9350 9514->9513 9516 675ae2 9515->9516 9517 675ab0 9515->9517 9516->9493 9517->9516 9522 675a20 9517->9522 9519 675ac4 9519->9516 9520 675ad8 9519->9520 9525 6759d4 9520->9525 9524 675a37 9522->9524 9523 675a65 LdrLoadDll 9523->9519 9524->9523 9526 675a04 LdrGetProcedureAddress 9525->9526 9527 6759e3 9525->9527 9528 675a16 9526->9528 9529 6759ef LdrGetProcedureAddress 9527->9529 9528->9516 9529->9528 9531 675c37 9530->9531 9532 675c51 9530->9532 9534 675aec 3 API calls 9531->9534 9533 675c79 9532->9533 9535 675aec 3 API calls 9532->9535 9536 675aec 3 API calls 9533->9536 9538 675ca1 9533->9538 9534->9532 9535->9533 9536->9538 9537 675ce9 FindFirstFileW 9537->9538 9538->9537 9539 675d5a 9538->9539 9540 675d37 FindNextFileW 9538->9540 9541 675d19 FindClose 9538->9541 9539->9500 9540->9538 9543 675d4b FindClose 9540->9543 9542 675a20 LdrLoadDll 9541->9542 9544 675d30 9542->9544 9543->9538 9544->9500 9546 67684c 9545->9546 9547 67685a RtlAllocateHeap 9546->9547 9547->9509 9549 676874 9548->9549 9550 676882 RtlFreeHeap 9549->9550 9550->9507 9675 676de8 9551->9675 9553 676f60 9554 677237 9553->9554 9555 676844 RtlAllocateHeap 9553->9555 9554->9400 9559 676f7d 9555->9559 9556 67722f 9557 67686c RtlFreeHeap 9556->9557 9557->9554 9558 67686c RtlFreeHeap 9558->9556 9559->9556 9560 676844 RtlAllocateHeap 9559->9560 9561 677000 9559->9561 9583 677221 9559->9583 9560->9561 9562 677033 9561->9562 9563 676844 RtlAllocateHeap 9561->9563 9564 676844 RtlAllocateHeap 9562->9564 9566 677066 9562->9566 9563->9562 9564->9566 9565 6770cc 9569 6770ff 9565->9569 9571 676844 RtlAllocateHeap 9565->9571 9567 677099 9566->9567 9568 676844 RtlAllocateHeap 9566->9568 9567->9565 9570 676844 RtlAllocateHeap 9567->9570 9568->9567 9572 676844 RtlAllocateHeap 9569->9572 9573 677132 9569->9573 9570->9565 9571->9569 9572->9573 9574 676844 RtlAllocateHeap 9573->9574 9576 677169 9573->9576 9574->9576 9575 676844 RtlAllocateHeap 9577 6771a4 9575->9577 9576->9575 9576->9583 9577->9583 9678 676ee4 9577->9678 9579 6771cc 9580 676844 RtlAllocateHeap 9579->9580 9581 6771eb 9580->9581 9582 67686c RtlFreeHeap 9581->9582 9581->9583 9582->9583 9583->9558 9584->9405 9586 676844 RtlAllocateHeap 9585->9586 9587 676d55 9586->9587 9587->9404 9589 676844 RtlAllocateHeap 9588->9589 9590 67bb81 9589->9590 9590->9409 9592 67b715 9591->9592 9593 67b71c RtlAdjustPrivilege 9592->9593 9594 679a0a 9592->9594 9593->9592 9593->9594 9595 67b674 9594->9595 9596 67b68b 9595->9596 9597 679a0f 9596->9597 9598 67b68f NtQueryInformationToken 9596->9598 9597->9419 9599 67b388 9597->9599 9598->9597 9687 6797d8 9599->9687 9601 67b3a5 9602 679a29 9601->9602 9697 679880 9601->9697 9602->9419 9632 67b4dc CheckTokenMembership 9602->9632 9605 679af3 9604->9605 9606 67c418 9604->9606 9614 67e2b8 9605->9614 9607 676de8 RtlAllocateHeap 9606->9607 9608 67c429 9607->9608 9608->9605 9609 676844 RtlAllocateHeap 9608->9609 9613 67c445 9609->9613 9610 67c645 9611 67686c RtlFreeHeap 9610->9611 9611->9605 9612 67686c RtlFreeHeap 9612->9610 9613->9610 9613->9612 9615 67e2d4 9614->9615 9704 67e350 9615->9704 9617 67e32a 9618 679af8 9617->9618 9619 67686c RtlFreeHeap 9617->9619 9618->9343 9619->9618 9622 67b511 9620->9622 9621 6799ce 9621->9402 9626 67babc 9621->9626 9622->9621 9623 676844 RtlAllocateHeap 9622->9623 9624 67b54a 9623->9624 9624->9621 9625 67686c RtlFreeHeap 9624->9625 9625->9621 9628 67bad1 9626->9628 9627 67bb66 9627->9402 9628->9627 9708 679740 9628->9708 9631 67686c RtlFreeHeap 9631->9627 9632->9421 9634 67aebf 9633->9634 9645 67b074 9634->9645 9712 67ac28 9634->9712 9636 67aecd 9637 67b0cf 9636->9637 9638 67afbb 9636->9638 9636->9645 9639 676de8 RtlAllocateHeap 9637->9639 9637->9645 9640 676de8 RtlAllocateHeap 9638->9640 9638->9645 9641 67b0fe 9639->9641 9642 67afee 9640->9642 9643 67686c RtlFreeHeap 9641->9643 9641->9645 9644 67686c RtlFreeHeap 9642->9644 9642->9645 9643->9645 9646 67b010 9644->9646 9645->9419 9646->9645 9647 676de8 RtlAllocateHeap 9646->9647 9648 67b056 9647->9648 9648->9645 9649 67686c RtlFreeHeap 9648->9649 9649->9645 9651 67b1ca 9650->9651 9652 676844 RtlAllocateHeap 9651->9652 9654 67b1d5 9652->9654 9653 679a58 9653->9418 9664 67b5b8 9653->9664 9654->9653 9655 67686c RtlFreeHeap 9654->9655 9658 67b1f6 9655->9658 9656 67b350 9657 67686c RtlFreeHeap 9656->9657 9657->9653 9658->9656 9721 676e18 9658->9721 9660 67b306 9661 676e18 RtlAllocateHeap 9660->9661 9662 67b32b 9661->9662 9663 676e18 RtlAllocateHeap 9662->9663 9663->9656 9665 67b5cd 9664->9665 9666 679a71 9665->9666 9667 676844 RtlAllocateHeap 9665->9667 9666->9418 9670 67b4dc CheckTokenMembership 9666->9670 9668 67b606 9667->9668 9668->9666 9669 67686c RtlFreeHeap 9668->9669 9669->9666 9670->9434 9672 6831f8 9671->9672 9674 683256 9672->9674 9724 682f58 9672->9724 9674->9423 9676 676844 RtlAllocateHeap 9675->9676 9677 676df9 9676->9677 9677->9553 9679 676f0b 9678->9679 9684 676e8c 9679->9684 9681 676f2b 9682 67686c RtlFreeHeap 9681->9682 9683 676f3f 9682->9683 9683->9579 9685 676844 RtlAllocateHeap 9684->9685 9686 676eaf 9685->9686 9686->9681 9688 676844 RtlAllocateHeap 9687->9688 9691 6797f6 9688->9691 9689 6797f9 NtQuerySystemInformation 9689->9691 9694 67980f 9689->9694 9690 67982c 9693 67686c RtlFreeHeap 9690->9693 9691->9689 9691->9690 9701 676894 9691->9701 9693->9694 9694->9601 9695 67686c RtlFreeHeap 9694->9695 9696 679872 9695->9696 9696->9601 9700 6798a5 9697->9700 9698 679977 9698->9602 9699 67996e NtClose 9699->9698 9700->9698 9700->9699 9702 67689c 9701->9702 9703 6768aa RtlReAllocateHeap 9702->9703 9703->9691 9705 67e35c 9704->9705 9707 67e369 9704->9707 9706 676844 RtlAllocateHeap 9705->9706 9705->9707 9706->9707 9707->9617 9709 679752 9708->9709 9711 67977a 9708->9711 9710 676844 RtlAllocateHeap 9709->9710 9710->9711 9711->9631 9713 676844 RtlAllocateHeap 9712->9713 9714 67ac4d 9713->9714 9715 67ac83 9714->9715 9717 676894 RtlReAllocateHeap 9714->9717 9720 67ac66 9714->9720 9716 67686c RtlFreeHeap 9715->9716 9716->9720 9717->9714 9718 67686c RtlFreeHeap 9719 67adb0 9718->9719 9719->9636 9720->9636 9720->9718 9722 676844 RtlAllocateHeap 9721->9722 9723 676e2a 9722->9723 9723->9660 9725 682f69 9724->9725 9727 6830f7 9725->9727 9728 67b3c0 9725->9728 9727->9674 9729 67b3d2 9728->9729 9730 67b3cf 9728->9730 9729->9730 9731 67b419 NtSetInformationThread 9729->9731 9730->9727 9732 67b42f NtClose 9731->9732 9733 67b42e 9731->9733 9732->9730 9733->9732 9735 679bc3 9734->9735 9736 679c5e 9734->9736 10016 677fbc 9735->10016 9742 687034 KiUserCallbackDispatcher 9736->9742 9739 679c11 10020 6768ec 9739->10020 9740 6804b4 14 API calls 9740->9739 9748 687059 9742->9748 9755 6870ff 9742->9755 9743 68711a CreateThread 9744 687145 CreateThread CreateThread 9743->9744 9749 687135 9743->9749 10464 678f68 RtlAdjustPrivilege 9743->10464 9745 68717e 9744->9745 9746 687183 9744->9746 10494 67782c CoInitialize 9744->10494 10496 677468 GetLogicalDriveStringsW 9744->10496 10026 677ca4 OpenSCManagerW 9745->10026 9751 68718c CreateThread 9746->9751 9752 6871a4 9746->9752 9747 6870bc 9754 679c64 3 API calls 9747->9754 9747->9755 9748->9747 10136 679c64 9748->10136 9749->9744 9751->9752 10479 677e58 9751->10479 9762 687221 9752->9762 10034 67b734 9752->10034 9754->9755 9755->9743 9755->9744 9757 68726b NtTerminateThread 9758 68727f 9757->9758 9760 687288 CreateThread 9758->9760 9761 6872a3 9758->9761 9760->9761 10489 679628 9760->10489 9766 687392 9761->9766 9794 6872c3 9761->9794 9762->9757 9762->9758 9765 687201 9769 687214 9765->9769 9774 67e2b8 2 API calls 9765->9774 10179 681934 9766->10179 10111 67e270 9769->10111 9773 687339 9775 67b674 NtQueryInformationToken 9773->9775 9779 68720f 9774->9779 9780 68733e 9775->9780 9778 67e2b8 2 API calls 9783 6871f2 9778->9783 10089 67fc88 9779->10089 9785 687349 9780->9785 9786 687342 9780->9786 9781 67e2b8 2 API calls 9781->9762 10057 680a38 9783->10057 10161 678230 9785->10161 10157 678960 9786->10157 9790 687390 9790->9448 9792 6871f7 9793 67e2b8 2 API calls 9792->9793 9795 6871fc 9793->9795 9794->9773 10115 67da00 9794->10115 10064 680be4 9795->10064 9797 687347 9797->9790 10130 679640 9797->10130 9801 6804b4 14 API calls 9801->9790 9803 676934 RtlAllocateHeap 9802->9803 9804 682074 9803->9804 9805 6820a5 9804->9805 9806 682096 9804->9806 9823 68210d 9804->9823 10633 677428 9805->10633 10605 680000 9806->10605 9810 682105 9811 67686c RtlFreeHeap 9810->9811 9811->9823 9812 676844 RtlAllocateHeap 9820 6820ea 9812->9820 9813 67a280 NtSetInformationThread NtClose 9813->9820 9814 682122 9815 67686c RtlFreeHeap 9814->9815 9815->9823 9816 67a338 2 API calls 9816->9820 9817 682196 9819 67686c RtlFreeHeap 9817->9819 9818 68236f 9821 67686c RtlFreeHeap 9818->9821 9819->9823 9820->9810 9820->9812 9820->9813 9820->9814 9820->9816 9820->9817 9820->9818 9822 68228e 9820->9822 9820->9823 9825 6822a1 9820->9825 9826 682271 9820->9826 9827 6823a1 9820->9827 9828 682382 9820->9828 9832 6822c5 9820->9832 9848 67ab68 NtSetInformationThread NtClose 9820->9848 9851 67686c RtlFreeHeap 9820->9851 10639 67a958 9820->10639 9821->9823 9824 67686c RtlFreeHeap 9822->9824 9823->9448 9824->9823 10645 67a3dc 9825->10645 9831 67686c RtlFreeHeap 9826->9831 9829 676984 RtlAllocateHeap 9827->9829 9828->9827 9833 682397 9828->9833 9834 6823fa 9829->9834 9831->9823 9837 68232d 9832->9837 9838 682323 9832->9838 9839 67686c RtlFreeHeap 9833->9839 9840 67686c RtlFreeHeap 9834->9840 10649 676a74 9837->10649 9842 676984 RtlAllocateHeap 9838->9842 9839->9823 9844 682403 9840->9844 9841 6822b8 9845 67686c RtlFreeHeap 9841->9845 9846 68232b 9842->9846 9844->9823 9850 68096c 8 API calls 9844->9850 9845->9823 9847 67686c RtlFreeHeap 9846->9847 9849 68233e 9847->9849 9848->9820 9849->9823 10653 68096c 9849->10653 9850->9823 9851->9820 9854 681d28 2 API calls 9853->9854 9855 681f02 9854->9855 9856 681f06 9855->9856 9857 681f27 9855->9857 9858 681f22 9856->9858 9860 6804b4 14 API calls 9856->9860 9859 679640 2 API calls 9857->9859 9858->9448 9861 681f2c 9859->9861 9860->9858 9862 681f3a 9861->9862 9863 681f30 9861->9863 10664 67b4dc CheckTokenMembership 9862->10664 9864 687034 107 API calls 9863->9864 9866 681f35 9864->9866 9866->9448 9867 682056 9867->9448 9868 681fb5 9869 681ffe 9868->9869 9873 679c64 3 API calls 9868->9873 10665 680e30 9869->10665 9870 681f3f 9870->9867 9870->9868 9872 679c64 3 API calls 9870->9872 9872->9868 9873->9869 9878 68202b 9878->9867 10713 681170 9878->10713 9881 678230 2 API calls 9882 68204f 9881->9882 9883 6816ac 2 API calls 9882->9883 9883->9867 10752 681be8 9884->10752 9887 678230 2 API calls 9888 6873bf 9887->9888 9889 67b674 NtQueryInformationToken 9888->9889 9892 6873d8 9889->9892 9890 687450 9890->9448 9891 679640 2 API calls 9893 687430 9891->9893 9892->9890 9892->9891 9894 6804b4 14 API calls 9893->9894 9894->9890 9896 683954 RtlAllocateHeap 9895->9896 9897 686fb2 9896->9897 9898 687021 9897->9898 9901 686ff6 9897->9901 10766 686490 9897->10766 9899 68702f 9898->9899 9900 67686c RtlFreeHeap 9898->9900 9910 686bbc 9899->9910 9900->9899 10784 683ea0 9901->10784 9907 687017 9909 683ea0 2 API calls 9907->9909 9909->9898 9911 686d9f 9910->9911 9912 686bd0 9910->9912 9911->9448 9913 683954 RtlAllocateHeap 9912->9913 9918 686be0 9913->9918 9914 686c86 9915 686d91 9914->9915 9916 67686c RtlFreeHeap 9914->9916 9915->9911 9917 67686c RtlFreeHeap 9915->9917 9916->9915 9917->9911 9918->9914 9919 676844 RtlAllocateHeap 9918->9919 9920 686ca8 9919->9920 9920->9914 11092 686688 9920->11092 9923 683954 RtlAllocateHeap 9922->9923 9924 68391e 9923->9924 9925 683942 9924->9925 11102 683784 9924->11102 9926 683950 9925->9926 9927 67686c RtlFreeHeap 9925->9927 9926->9448 9927->9926 9930 686dc4 9929->9930 9931 676de8 RtlAllocateHeap 9930->9931 9932 686ed5 9931->9932 9933 676de8 RtlAllocateHeap 9932->9933 9942 686ede 9932->9942 9936 686eef 9933->9936 9934 686f7b 9938 67686c RtlFreeHeap 9934->9938 9939 686f89 9934->9939 9935 67686c RtlFreeHeap 9935->9934 9937 676de8 RtlAllocateHeap 9936->9937 9936->9942 9937->9942 9938->9939 9940 686f97 9939->9940 9941 67686c RtlFreeHeap 9939->9941 9940->9470 9941->9940 9942->9934 9942->9935 9944 6804e9 9943->9944 9945 676de8 RtlAllocateHeap 9944->9945 9946 680562 9945->9946 9947 676844 RtlAllocateHeap 9946->9947 9974 68056b 9946->9974 9950 680582 9947->9950 9948 680930 9949 68093e 9948->9949 9952 67686c RtlFreeHeap 9948->9952 9953 68094c 9949->9953 9956 67686c RtlFreeHeap 9949->9956 9950->9974 11120 680338 9950->11120 9951 67686c RtlFreeHeap 9951->9948 9952->9949 9957 68095a 9953->9957 9958 67686c RtlFreeHeap 9953->9958 9955 6805b3 9959 6805d4 GetTempFileNameW CreateFileW 9955->9959 9955->9974 9956->9953 9957->9448 9958->9957 9960 680619 WriteFile 9959->9960 9959->9974 9961 680635 CreateProcessW 9960->9961 9960->9974 9963 68069f NtQueryInformationProcess 9961->9963 9961->9974 9964 6806c3 NtReadVirtualMemory 9963->9964 9963->9974 9965 6806ea 9964->9965 9964->9974 9966 676de8 RtlAllocateHeap 9965->9966 9967 6806f4 9966->9967 9968 680758 NtProtectVirtualMemory 9967->9968 9967->9974 9969 680784 NtWriteVirtualMemory 9968->9969 9968->9974 9970 68079e 9969->9970 9969->9974 9971 680801 NtDuplicateObject 9970->9971 9970->9974 9972 680829 CreateNamedPipeW 9971->9972 9971->9974 9973 680895 ResumeThread ConnectNamedPipe 9972->9973 9972->9974 9973->9974 9974->9948 9974->9951 9976 67a35b 9975->9976 9977 67b3c0 2 API calls 9976->9977 9978 67a375 9976->9978 9977->9978 9978->9479 9978->9480 9980 676934 RtlAllocateHeap 9979->9980 10011 682440 9980->10011 9981 6824c6 9981->9448 9982 67a280 NtSetInformationThread NtClose 9982->10011 9983 67a338 2 API calls 9983->10011 9984 6825bc 9985 67686c RtlFreeHeap 9984->9985 9985->9981 9986 6824db 9988 67686c RtlFreeHeap 9986->9988 9987 6824ee 9992 67a3dc 2 API calls 9987->9992 9988->9981 9989 6824be 9993 67686c RtlFreeHeap 9989->9993 9990 6825ee 9991 676984 RtlAllocateHeap 9990->9991 9996 682647 9991->9996 9997 682501 9992->9997 9993->9981 9994 682512 9998 68257a 9994->9998 9999 682570 9994->9999 9995 6825cf 9995->9990 10000 6825e4 9995->10000 10002 67686c RtlFreeHeap 9996->10002 9997->9994 10003 682505 9997->10003 10005 676a74 RtlAllocateHeap 9998->10005 10004 676984 RtlAllocateHeap 9999->10004 10001 67686c RtlFreeHeap 10000->10001 10001->9981 10006 682650 10002->10006 10007 67686c RtlFreeHeap 10003->10007 10008 682578 10004->10008 10005->10008 10006->9981 10012 68096c 8 API calls 10006->10012 10007->9981 10010 67686c RtlFreeHeap 10008->10010 10009 67ab68 NtSetInformationThread NtClose 10009->10011 10013 68258b 10010->10013 10011->9981 10011->9982 10011->9983 10011->9984 10011->9986 10011->9987 10011->9989 10011->9990 10011->9994 10011->9995 10011->10009 10014 67686c RtlFreeHeap 10011->10014 10012->9981 10013->9981 10015 68096c 8 API calls 10013->10015 10014->10011 10015->9981 10017 677fd5 10016->10017 10019 67808e 10017->10019 10023 6768c0 10017->10023 10019->9739 10019->9740 10021 67686c RtlFreeHeap 10020->10021 10022 6768fb 10021->10022 10022->9736 10024 676844 RtlAllocateHeap 10023->10024 10025 6768d6 10024->10025 10025->10019 10027 677cd2 10026->10027 10028 677dda 10026->10028 10030 676844 RtlAllocateHeap 10027->10030 10029 677df7 10028->10029 10031 67686c RtlFreeHeap 10028->10031 10029->9746 10032 677d01 10030->10032 10031->10029 10032->10028 10208 67dc60 10032->10208 10035 6768c0 RtlAllocateHeap 10034->10035 10036 67b73c 10035->10036 10037 67b784 10036->10037 10038 67b742 NtSetInformationProcess NtSetInformationProcess NtSetInformationProcess 10036->10038 10040 67e1e8 10037->10040 10039 6768ec RtlFreeHeap 10038->10039 10039->10037 10043 67e1f5 10040->10043 10041 67e25a 10041->9762 10041->9765 10046 67a68c 10041->10046 10042 67e22a CreateThread 10042->10043 10212 67de78 SetThreadPriority 10042->10212 10043->10041 10043->10042 10044 67b444 NtSetInformationThread 10043->10044 10045 67e24b NtClose 10044->10045 10045->10043 10047 67a6b3 GetVolumeNameForVolumeMountPointW 10046->10047 10049 67a6f6 FindFirstVolumeW 10047->10049 10050 67a947 10049->10050 10055 67a712 10049->10055 10050->9778 10051 67a72b GetVolumePathNamesForVolumeNameW 10051->10055 10052 67a75c GetDriveTypeW 10052->10055 10053 67a7fd CreateFileW 10054 67a823 DeviceIoControl 10053->10054 10053->10055 10054->10055 10055->10050 10055->10051 10055->10052 10055->10053 10056 67a600 6 API calls 10055->10056 10056->10055 10058 680a92 10057->10058 10059 680b08 10058->10059 10063 680b63 10058->10063 10216 67b4dc CheckTokenMembership 10058->10216 10061 680b0c 10059->10061 10217 676984 10059->10217 10061->9792 10063->9792 10065 680bf9 10064->10065 10221 67a488 CreateThread 10065->10221 10067 680c0b 10068 676844 RtlAllocateHeap 10067->10068 10087 680c11 10067->10087 10072 680c23 10068->10072 10069 67686c RtlFreeHeap 10071 680e0a 10069->10071 10070 680e18 10075 680e26 10070->10075 10077 67686c RtlFreeHeap 10070->10077 10071->10070 10073 67686c RtlFreeHeap 10071->10073 10074 67a488 6 API calls 10072->10074 10072->10087 10073->10070 10076 680c40 10074->10076 10075->9765 10078 676844 RtlAllocateHeap 10076->10078 10076->10087 10077->10075 10079 680c5b 10078->10079 10080 676844 RtlAllocateHeap 10079->10080 10079->10087 10088 680c76 10080->10088 10082 676984 RtlAllocateHeap 10083 680cd2 CreateThread 10082->10083 10083->10088 10239 67f308 GetFileAttributesW 10083->10239 10084 676984 RtlAllocateHeap 10084->10088 10085 680d15 NtClose 10085->10088 10086 67b3c0 2 API calls 10086->10088 10087->10069 10087->10071 10088->10082 10088->10084 10088->10085 10088->10086 10088->10087 10229 67a1c0 CreateThread 10088->10229 10090 67fcb4 10089->10090 10091 676844 RtlAllocateHeap 10090->10091 10092 67fcc1 10091->10092 10106 67fcca 10092->10106 10392 67f82c 10092->10392 10095 67ffdb 10097 67ffe9 10095->10097 10099 67686c RtlFreeHeap 10095->10099 10096 67686c RtlFreeHeap 10096->10095 10100 67fff7 10097->10100 10102 67686c RtlFreeHeap 10097->10102 10098 676844 RtlAllocateHeap 10101 67fcf7 10098->10101 10099->10097 10100->9769 10103 676844 RtlAllocateHeap 10101->10103 10101->10106 10102->10100 10110 67fd12 10103->10110 10104 67f59c NtSetInformationThread NtClose 10104->10110 10106->10095 10106->10096 10107 67f6d8 NtSetInformationThread NtClose 10107->10110 10108 67b3c0 2 API calls 10108->10110 10109 67686c RtlFreeHeap 10109->10110 10110->10104 10110->10106 10110->10107 10110->10108 10110->10109 10398 6769e0 10110->10398 10112 67e2a7 10111->10112 10113 67e27b 10111->10113 10112->9781 10113->10112 10114 67e29b NtClose 10113->10114 10114->10112 10402 67cedc 10115->10402 10117 67da39 10124 676de8 RtlAllocateHeap 10117->10124 10125 67da42 10117->10125 10118 67686c RtlFreeHeap 10119 67db6a 10118->10119 10120 67db78 10119->10120 10122 67686c RtlFreeHeap 10119->10122 10121 67db86 10120->10121 10123 67686c RtlFreeHeap 10120->10123 10121->9773 10122->10120 10123->10121 10126 67da8f 10124->10126 10125->10118 10125->10119 10126->10125 10127 676844 RtlAllocateHeap 10126->10127 10128 67dac5 10127->10128 10128->10125 10406 67cfcc 10128->10406 10133 679669 10130->10133 10131 679735 10131->9801 10132 67686c RtlFreeHeap 10132->10131 10135 679698 10133->10135 10445 67c8c4 10133->10445 10135->10131 10135->10132 10138 679c96 10136->10138 10137 679c9a 10137->9747 10138->10137 10451 683954 10138->10451 10140 67a04a 10141 67a05e 10140->10141 10143 67686c RtlFreeHeap 10140->10143 10144 67a072 10141->10144 10145 67686c RtlFreeHeap 10141->10145 10142 67686c RtlFreeHeap 10142->10140 10143->10141 10146 67a086 10144->10146 10147 67686c RtlFreeHeap 10144->10147 10145->10144 10146->9747 10147->10146 10148 679e11 10149 67b674 NtQueryInformationToken 10148->10149 10153 679e20 10148->10153 10150 679ee2 10149->10150 10151 676de8 RtlAllocateHeap 10150->10151 10150->10153 10152 679f25 10151->10152 10152->10153 10154 676de8 RtlAllocateHeap 10152->10154 10153->10140 10153->10142 10155 679f45 10154->10155 10155->10153 10156 676de8 RtlAllocateHeap 10155->10156 10156->10153 10159 678971 10157->10159 10158 678b6c 10158->9797 10159->10158 10160 67b3c0 2 API calls 10159->10160 10160->10158 10166 678290 10161->10166 10178 67828b 10161->10178 10162 678909 10164 67686c RtlFreeHeap 10162->10164 10165 678917 10162->10165 10163 67686c RtlFreeHeap 10163->10162 10164->10165 10165->9797 10167 676844 RtlAllocateHeap 10166->10167 10166->10178 10168 6783cf 10167->10168 10169 6783e7 10168->10169 10170 678401 10168->10170 10168->10178 10171 676de8 RtlAllocateHeap 10169->10171 10172 676de8 RtlAllocateHeap 10170->10172 10173 6783f1 10171->10173 10172->10173 10174 678434 10173->10174 10176 678448 10173->10176 10173->10178 10175 67686c RtlFreeHeap 10174->10175 10175->10178 10176->10178 10454 676c98 10176->10454 10178->10162 10178->10163 10180 676de8 RtlAllocateHeap 10179->10180 10182 681967 10180->10182 10181 681aa8 10184 681ab6 10181->10184 10187 67686c RtlFreeHeap 10181->10187 10193 681970 10182->10193 10458 6818b8 10182->10458 10183 67686c RtlFreeHeap 10183->10181 10185 681ac4 10184->10185 10188 67686c RtlFreeHeap 10184->10188 10196 681d28 10185->10196 10187->10184 10188->10185 10189 6819a4 10190 676934 RtlAllocateHeap 10189->10190 10189->10193 10191 6819bf 10190->10191 10192 676de8 RtlAllocateHeap 10191->10192 10191->10193 10194 681a25 10192->10194 10193->10181 10193->10183 10195 67686c RtlFreeHeap 10194->10195 10195->10193 10197 681e2c 10196->10197 10200 681e5a 10197->10200 10461 681c34 10197->10461 10199 681eeb 10202 6816ac 10199->10202 10200->10199 10201 67686c RtlFreeHeap 10200->10201 10201->10199 10203 6816c4 10202->10203 10204 676de8 RtlAllocateHeap 10203->10204 10205 6816fe 10204->10205 10206 681707 10205->10206 10207 67686c RtlFreeHeap 10205->10207 10206->9790 10207->10206 10209 67dcba 10208->10209 10210 67dcbe NtTerminateProcess 10209->10210 10211 67dcd2 10209->10211 10210->10211 10211->10032 10214 67de8f 10212->10214 10213 67dee2 10214->10213 10215 67686c RtlFreeHeap 10214->10215 10215->10214 10216->10059 10218 67699c 10217->10218 10219 6769b2 10218->10219 10220 676844 RtlAllocateHeap 10218->10220 10219->10063 10220->10219 10222 67a524 10221->10222 10223 67a4c8 10221->10223 10237 67a470 GetLogicalDriveStringsW 10221->10237 10222->10067 10224 67a4fa ResumeThread 10223->10224 10225 67b3c0 2 API calls 10223->10225 10226 67a50e GetExitCodeThread 10224->10226 10227 67a4d9 10225->10227 10226->10222 10227->10224 10228 67a4dd 10227->10228 10228->10067 10230 67a24f 10229->10230 10232 67a1f3 10229->10232 10238 67a1b0 GetDriveTypeW 10229->10238 10230->10088 10231 67a225 ResumeThread 10234 67a239 GetExitCodeThread 10231->10234 10232->10231 10233 67b3c0 2 API calls 10232->10233 10235 67a204 10233->10235 10234->10230 10235->10231 10236 67a208 10235->10236 10236->10088 10240 67f37f SetThreadPriority 10239->10240 10242 67f321 10239->10242 10245 67f38e 10240->10245 10241 67f371 10243 67686c RtlFreeHeap 10241->10243 10242->10241 10290 67a094 FindFirstFileExW 10242->10290 10246 67f379 10243->10246 10248 676844 RtlAllocateHeap 10245->10248 10265 67f3ad 10248->10265 10249 67f34b 10250 67c19c 10 API calls 10249->10250 10252 67f355 10250->10252 10293 67ef6c 10252->10293 10254 67686c RtlFreeHeap 10257 67f3dd FindFirstFileExW 10254->10257 10257->10265 10258 67686c RtlFreeHeap 10258->10265 10259 67f54c 10260 67686c RtlFreeHeap 10259->10260 10262 67f56f 10260->10262 10261 67f514 FindNextFileW 10263 67f52c FindClose 10261->10263 10261->10265 10263->10265 10264 67f1c8 RtlAllocateHeap 10264->10265 10265->10254 10265->10258 10265->10259 10265->10261 10265->10264 10266 67ef6c 4 API calls 10265->10266 10267 67c19c 10265->10267 10286 67f164 10265->10286 10266->10265 10268 67c1b8 10267->10268 10272 67c1b3 10267->10272 10320 676934 10268->10320 10271 67c1d0 GetFileAttributesW 10273 67c1e0 10271->10273 10272->10265 10274 67c225 10273->10274 10275 67c23e 10273->10275 10276 67c28c 5 API calls 10274->10276 10277 67c246 10275->10277 10278 67c255 GetFileAttributesW 10275->10278 10279 67c22d 10276->10279 10324 67c28c CreateFileW 10277->10324 10281 67c262 10278->10281 10282 67c26e CopyFileW 10278->10282 10285 67686c RtlFreeHeap 10279->10285 10283 67686c RtlFreeHeap 10281->10283 10284 67686c RtlFreeHeap 10282->10284 10283->10277 10284->10272 10285->10272 10287 67f17c 10286->10287 10288 676844 RtlAllocateHeap 10287->10288 10289 67f192 10287->10289 10288->10289 10289->10265 10291 67a0e5 10290->10291 10292 67a0c5 FindClose 10290->10292 10291->10241 10291->10249 10292->10291 10294 67f155 10293->10294 10295 67ef8d 10293->10295 10335 67e3ac 10295->10335 10298 67f14d 10299 67686c RtlFreeHeap 10298->10299 10299->10294 10301 67efa5 10301->10298 10302 67efcc 10301->10302 10303 67efb9 10301->10303 10349 67ece4 10302->10349 10345 67ec00 10303->10345 10306 67f034 10308 67686c RtlFreeHeap 10306->10308 10307 67686c RtlFreeHeap 10309 67efc7 10307->10309 10312 67eff9 10308->10312 10309->10298 10309->10306 10309->10307 10311 67ece4 RtlAllocateHeap 10309->10311 10309->10312 10310 67686c RtlFreeHeap 10310->10298 10311->10309 10316 67f075 10312->10316 10353 67ed30 10312->10353 10315 67f0ba 10317 67686c RtlFreeHeap 10315->10317 10316->10298 10316->10310 10317->10316 10318 67f0dc 10318->10316 10319 67686c RtlFreeHeap 10318->10319 10319->10316 10321 67694a 10320->10321 10322 676961 10321->10322 10323 676844 RtlAllocateHeap 10321->10323 10322->10271 10322->10272 10323->10322 10325 67c3ed 10324->10325 10326 67c2bd 10324->10326 10325->10272 10327 67c2f5 WriteFile 10326->10327 10328 67c32c WriteFile 10327->10328 10329 67c31a 10327->10329 10330 67c365 WriteFile 10328->10330 10331 67c353 10328->10331 10329->10272 10332 67c39c WriteFile 10330->10332 10333 67c38a 10330->10333 10331->10272 10332->10326 10334 67c3c3 10332->10334 10333->10272 10334->10272 10336 67e3c5 10335->10336 10338 67e40b 10336->10338 10373 67de48 10336->10373 10338->10298 10339 67e45c 10338->10339 10341 67e47b 10339->10341 10340 67e508 10340->10301 10341->10340 10342 67e350 RtlAllocateHeap 10341->10342 10343 67e4eb 10342->10343 10343->10340 10344 67686c RtlFreeHeap 10343->10344 10344->10340 10346 67ec0d 10345->10346 10347 676934 RtlAllocateHeap 10346->10347 10348 67ec19 10347->10348 10348->10309 10350 67ecf2 10349->10350 10351 676934 RtlAllocateHeap 10350->10351 10352 67ed01 10351->10352 10352->10309 10355 67ed60 10353->10355 10354 67ed91 10357 676844 RtlAllocateHeap 10354->10357 10355->10354 10356 67e2b8 2 API calls 10355->10356 10356->10354 10364 67ed9d 10357->10364 10358 67ef39 10360 67ef47 10358->10360 10361 67686c RtlFreeHeap 10358->10361 10359 67686c RtlFreeHeap 10359->10358 10362 67ef55 10360->10362 10363 67686c RtlFreeHeap 10360->10363 10361->10360 10362->10315 10362->10316 10362->10318 10363->10362 10365 676844 RtlAllocateHeap 10364->10365 10372 67eee4 10364->10372 10366 67edfa 10365->10366 10367 676844 RtlAllocateHeap 10366->10367 10366->10372 10368 67ee29 10367->10368 10369 676844 RtlAllocateHeap 10368->10369 10368->10372 10370 67eedb 10369->10370 10371 67686c RtlFreeHeap 10370->10371 10370->10372 10371->10372 10372->10358 10372->10359 10374 67de53 10373->10374 10375 67de60 10374->10375 10377 67dce4 10374->10377 10375->10336 10381 67dd1b 10377->10381 10378 67ddf0 10379 67de3d 10378->10379 10380 67686c RtlFreeHeap 10378->10380 10379->10375 10380->10379 10381->10378 10382 676844 RtlAllocateHeap 10381->10382 10383 67dd74 10382->10383 10383->10378 10384 676894 RtlReAllocateHeap 10383->10384 10385 67dd9d 10383->10385 10384->10383 10385->10378 10387 67dc60 NtTerminateProcess 10385->10387 10388 67db90 10385->10388 10387->10385 10390 67dbb0 10388->10390 10389 67dc2d 10389->10385 10390->10389 10391 67dc60 NtTerminateProcess 10390->10391 10391->10389 10396 67f861 10392->10396 10393 67fa12 10393->10098 10393->10106 10394 67f8ee 10394->10393 10397 676844 RtlAllocateHeap 10394->10397 10395 676844 RtlAllocateHeap 10395->10396 10396->10393 10396->10394 10396->10395 10397->10394 10399 6769f9 10398->10399 10400 676844 RtlAllocateHeap 10399->10400 10401 676a19 10400->10401 10401->10110 10403 67cef8 10402->10403 10404 676844 RtlAllocateHeap 10403->10404 10405 67cf7d 10403->10405 10404->10405 10405->10117 10407 67d01f 10406->10407 10408 67d024 10406->10408 10410 67d45e 10407->10410 10411 67686c RtlFreeHeap 10407->10411 10408->10407 10409 676844 RtlAllocateHeap 10408->10409 10419 67d065 10409->10419 10412 67d46c 10410->10412 10414 67686c RtlFreeHeap 10410->10414 10411->10410 10413 67d47a 10412->10413 10415 67686c RtlFreeHeap 10412->10415 10416 67d488 10413->10416 10417 67686c RtlFreeHeap 10413->10417 10414->10412 10415->10413 10418 67d496 10416->10418 10420 67686c RtlFreeHeap 10416->10420 10417->10416 10421 67d4a4 10418->10421 10423 67686c RtlFreeHeap 10418->10423 10419->10407 10433 67d67c 10419->10433 10420->10418 10421->10125 10423->10421 10424 67d08e 10424->10407 10437 67d4b0 10424->10437 10426 67d0a1 10426->10407 10441 67d638 10426->10441 10429 676de8 RtlAllocateHeap 10430 67d0cc 10429->10430 10430->10407 10431 676844 RtlAllocateHeap 10430->10431 10432 67686c RtlFreeHeap 10430->10432 10431->10430 10432->10430 10434 67d6a7 10433->10434 10435 676844 RtlAllocateHeap 10434->10435 10436 67d7a4 10435->10436 10436->10424 10438 67d540 10437->10438 10439 676844 RtlAllocateHeap 10438->10439 10440 67d57e 10439->10440 10440->10426 10442 67d657 10441->10442 10443 676de8 RtlAllocateHeap 10442->10443 10444 67d0b4 10443->10444 10444->10407 10444->10429 10446 67c8e5 10445->10446 10447 676844 RtlAllocateHeap 10446->10447 10448 67c8f5 10447->10448 10449 67686c RtlFreeHeap 10448->10449 10450 67c917 10448->10450 10449->10450 10450->10135 10452 676844 RtlAllocateHeap 10451->10452 10453 68396b 10452->10453 10453->10148 10457 676cbb 10454->10457 10455 676d24 10455->10178 10456 67686c RtlFreeHeap 10456->10455 10457->10455 10457->10456 10459 676844 RtlAllocateHeap 10458->10459 10460 6818ce 10459->10460 10460->10189 10462 676844 RtlAllocateHeap 10461->10462 10463 681c4e 10462->10463 10463->10200 10465 6797d8 4 API calls 10464->10465 10466 678fa0 10465->10466 10467 679880 NtClose 10466->10467 10468 679010 10466->10468 10469 678fae 10467->10469 10470 679035 10468->10470 10512 678ecc 10468->10512 10469->10468 10471 678fb7 NtSetInformationThread 10469->10471 10471->10468 10473 678fcb 10471->10473 10501 678da8 10473->10501 10476 679880 NtClose 10477 678fee 10476->10477 10477->10468 10506 678be0 10477->10506 10488 677e60 10479->10488 10480 676844 RtlAllocateHeap 10480->10488 10481 677e72 NtQuerySystemInformation 10481->10488 10482 677ea5 10484 67686c RtlFreeHeap 10482->10484 10483 676894 RtlReAllocateHeap 10483->10488 10485 677ead 10484->10485 10486 67686c RtlFreeHeap 10487 677f40 Sleep 10486->10487 10487->10488 10488->10480 10488->10481 10488->10482 10488->10483 10488->10486 10515 6791c8 10489->10515 10491 67962d 10492 67963c 10491->10492 10533 6790bc 10491->10533 10495 677861 10494->10495 10497 6774b3 10496->10497 10498 67748b 10496->10498 10498->10497 10499 677494 GetDriveTypeW 10498->10499 10545 6774bc 10498->10545 10499->10498 10502 6797d8 4 API calls 10501->10502 10503 678dd3 10502->10503 10504 678de0 OpenSCManagerW 10503->10504 10505 678df9 10503->10505 10504->10505 10505->10468 10505->10476 10507 678c11 10506->10507 10509 676844 RtlAllocateHeap 10507->10509 10511 678c4d 10507->10511 10508 678d9c 10508->10468 10509->10511 10510 67686c RtlFreeHeap 10510->10508 10511->10508 10511->10510 10513 6797d8 4 API calls 10512->10513 10514 678ee5 10513->10514 10514->10470 10516 6792a9 10515->10516 10517 67946d RegCreateKeyExW 10516->10517 10518 6794c7 RegCreateKeyExW 10517->10518 10527 6794a1 10517->10527 10521 6795e2 10518->10521 10522 6795bc RegEnumKeyW 10518->10522 10520 6794a8 RegEnumKeyW 10520->10518 10523 6794cc RegCreateKeyExW 10520->10523 10521->10491 10522->10521 10526 6795e4 OpenEventLogW 10522->10526 10525 6794fa RegSetValueExW 10523->10525 10523->10527 10525->10527 10528 67951c RegSetValueExW 10525->10528 10526->10522 10530 6795fc ClearEventLogW 10526->10530 10527->10520 10529 67956c NtClose 10527->10529 10528->10527 10531 67953a OpenEventLogW 10528->10531 10529->10527 10530->10522 10531->10527 10532 679552 ClearEventLogW CloseEventLog 10531->10532 10532->10527 10540 67903c RtlAdjustPrivilege 10533->10540 10535 6791ac CloseServiceHandle 10536 6791b5 10535->10536 10536->10492 10537 679194 10537->10535 10537->10536 10538 6790d5 10538->10537 10539 67dc60 NtTerminateProcess 10538->10539 10539->10537 10541 6797d8 4 API calls 10540->10541 10542 679074 10541->10542 10543 679880 NtClose 10542->10543 10544 679082 10542->10544 10543->10544 10544->10538 10553 677590 10545->10553 10547 6774d4 10548 677506 FindFirstFileExW 10547->10548 10550 677580 10547->10550 10548->10550 10551 67752e 10548->10551 10549 67756c FindNextFileW 10549->10550 10549->10551 10550->10498 10551->10549 10559 67766c 10551->10559 10554 6775b0 FindFirstFileExW 10553->10554 10556 677662 10554->10556 10557 67760e FindClose 10554->10557 10556->10547 10557->10556 10560 67768e 10559->10560 10561 677822 10560->10561 10562 676844 RtlAllocateHeap 10560->10562 10561->10549 10567 6776a6 10562->10567 10563 6777fd 10564 677814 10563->10564 10565 67686c RtlFreeHeap 10563->10565 10564->10561 10566 67686c RtlFreeHeap 10564->10566 10565->10564 10566->10561 10567->10563 10568 6776de FindFirstFileExW 10567->10568 10568->10563 10572 677706 10568->10572 10569 6777e5 FindNextFileW 10569->10563 10569->10572 10570 676844 RtlAllocateHeap 10570->10572 10571 677780 GetFileAttributesW 10571->10572 10572->10569 10572->10570 10572->10571 10574 67766c 12 API calls 10572->10574 10575 67686c RtlFreeHeap 10572->10575 10576 676668 10572->10576 10574->10572 10575->10572 10577 67667e 10576->10577 10577->10577 10578 67a094 2 API calls 10577->10578 10579 676695 10578->10579 10580 6766a5 CreateFileW 10579->10580 10581 6767a5 10579->10581 10580->10581 10585 6766cd 10580->10585 10583 6767d4 NtFreeVirtualMemory 10581->10583 10584 6767f9 10581->10584 10582 6766d2 NtAllocateVirtualMemory 10582->10585 10593 676703 10582->10593 10583->10581 10586 6767ff NtClose 10584->10586 10587 676808 10584->10587 10585->10582 10585->10593 10586->10587 10596 676550 10587->10596 10590 676763 WriteFile 10592 67677d SetFilePointerEx 10590->10592 10590->10593 10591 676821 10594 676836 10591->10594 10595 67686c RtlFreeHeap 10591->10595 10592->10590 10592->10593 10593->10581 10593->10590 10594->10572 10595->10594 10597 676934 RtlAllocateHeap 10596->10597 10598 67656a 10597->10598 10599 676934 RtlAllocateHeap 10598->10599 10602 676573 10598->10602 10603 676582 10599->10603 10600 67661e DeleteFileW 10600->10591 10601 67686c RtlFreeHeap 10601->10600 10602->10600 10602->10601 10603->10602 10603->10603 10604 6765df MoveFileExW 10603->10604 10604->10602 10604->10603 10660 67f59c 10605->10660 10608 67f59c 2 API calls 10611 680080 10608->10611 10609 6800d1 10610 680313 10609->10610 10612 67686c RtlFreeHeap 10609->10612 10613 680321 10610->10613 10615 67686c RtlFreeHeap 10610->10615 10614 6800a8 10611->10614 10616 67f59c 2 API calls 10611->10616 10612->10610 10617 68032f 10613->10617 10619 67686c RtlFreeHeap 10613->10619 10614->10609 10618 676844 RtlAllocateHeap 10614->10618 10615->10613 10616->10614 10617->9448 10620 6800c8 10618->10620 10619->10617 10620->10609 10621 676844 RtlAllocateHeap 10620->10621 10622 6800e3 10621->10622 10622->10609 10623 67e1e8 5 API calls 10622->10623 10632 6800f6 10623->10632 10624 6769e0 RtlAllocateHeap 10624->10632 10625 68028d 10626 67686c RtlFreeHeap 10625->10626 10628 68029b 10625->10628 10626->10628 10627 67f6d8 NtSetInformationThread NtClose 10627->10632 10628->10609 10629 67e270 NtClose 10628->10629 10629->10609 10630 67b3c0 2 API calls 10630->10632 10631 67686c RtlFreeHeap 10631->10632 10632->10624 10632->10625 10632->10627 10632->10630 10632->10631 10634 677433 10633->10634 10635 676934 RtlAllocateHeap 10634->10635 10637 677441 10635->10637 10636 677464 10636->9820 10637->10636 10638 67686c RtlFreeHeap 10637->10638 10638->10636 10640 67a983 10639->10640 10641 67a488 6 API calls 10640->10641 10642 67a99a 10641->10642 10643 676844 RtlAllocateHeap 10642->10643 10644 67a9c9 10642->10644 10643->10644 10644->9820 10646 67a3ff 10645->10646 10647 67a419 10646->10647 10648 67b3c0 2 API calls 10646->10648 10647->9832 10647->9841 10648->10647 10650 676a8d 10649->10650 10651 676844 RtlAllocateHeap 10650->10651 10652 676aa3 10650->10652 10651->10652 10652->9846 10654 67e1e8 5 API calls 10653->10654 10656 680977 10654->10656 10655 6809c8 10657 6809cc 10655->10657 10659 67e270 NtClose 10655->10659 10656->10655 10658 67b3c0 2 API calls 10656->10658 10657->9823 10658->10655 10659->10657 10661 67f5f6 10660->10661 10662 67b3c0 2 API calls 10661->10662 10663 67f610 10661->10663 10662->10663 10663->10608 10663->10614 10664->9870 10666 680e48 10665->10666 10667 680e8d 10665->10667 10668 67c8c4 2 API calls 10666->10668 10667->9867 10671 681400 10667->10671 10669 680e4d 10668->10669 10669->10667 10670 67686c RtlFreeHeap 10669->10670 10670->10667 10723 681240 10671->10723 10673 681441 10674 676de8 RtlAllocateHeap 10673->10674 10699 681445 10673->10699 10682 681454 10674->10682 10675 6815e0 10677 6815ee 10675->10677 10678 67686c RtlFreeHeap 10675->10678 10676 67686c RtlFreeHeap 10676->10675 10679 6815fc 10677->10679 10680 67686c RtlFreeHeap 10677->10680 10678->10677 10681 68160a 10679->10681 10683 67686c RtlFreeHeap 10679->10683 10680->10679 10681->9867 10700 681760 10681->10700 10682->10699 10745 681611 10682->10745 10683->10681 10686 676de8 RtlAllocateHeap 10687 68149b 10686->10687 10688 681611 RtlFreeHeap 10687->10688 10687->10699 10689 6814d4 10688->10689 10690 676de8 RtlAllocateHeap 10689->10690 10691 6814de 10690->10691 10692 681611 RtlFreeHeap 10691->10692 10691->10699 10693 681521 10692->10693 10694 676de8 RtlAllocateHeap 10693->10694 10695 68152b 10694->10695 10696 681611 RtlFreeHeap 10695->10696 10695->10699 10697 68156b 10696->10697 10698 676de8 RtlAllocateHeap 10697->10698 10698->10699 10699->10675 10699->10676 10701 676de8 RtlAllocateHeap 10700->10701 10702 681791 10701->10702 10706 6818b8 RtlAllocateHeap 10702->10706 10710 68179a 10702->10710 10703 67686c RtlFreeHeap 10704 681890 10703->10704 10705 67686c RtlFreeHeap 10704->10705 10707 68189e 10704->10707 10705->10707 10708 6817ce 10706->10708 10707->9878 10709 676de8 RtlAllocateHeap 10708->10709 10708->10710 10711 681809 10709->10711 10710->10703 10710->10704 10712 67686c RtlFreeHeap 10711->10712 10712->10710 10714 681190 10713->10714 10715 676de8 RtlAllocateHeap 10714->10715 10722 681195 10714->10722 10720 6811a1 10715->10720 10716 681219 10717 681227 10716->10717 10719 67686c RtlFreeHeap 10716->10719 10717->9881 10718 67686c RtlFreeHeap 10718->10716 10719->10717 10721 676de8 RtlAllocateHeap 10720->10721 10720->10722 10721->10722 10722->10716 10722->10718 10724 68126f 10723->10724 10727 681282 10723->10727 10726 676de8 RtlAllocateHeap 10724->10726 10724->10727 10725 68130f 10725->10673 10728 68128d 10726->10728 10727->10725 10749 6810cc 10727->10749 10728->10727 10729 676de8 RtlAllocateHeap 10728->10729 10731 6812a5 10729->10731 10731->10727 10733 6812b4 10731->10733 10732 681336 10734 676934 RtlAllocateHeap 10732->10734 10735 676de8 RtlAllocateHeap 10733->10735 10736 681345 10734->10736 10737 6812bd 10735->10737 10736->10725 10738 676934 RtlAllocateHeap 10736->10738 10737->10673 10740 681377 10738->10740 10739 6813bd 10742 6813cb 10739->10742 10743 67686c RtlFreeHeap 10739->10743 10740->10725 10740->10739 10741 67686c RtlFreeHeap 10740->10741 10741->10739 10742->10725 10744 67686c RtlFreeHeap 10742->10744 10743->10742 10744->10725 10746 681491 10745->10746 10747 681617 10745->10747 10746->10686 10748 67686c RtlFreeHeap 10747->10748 10748->10746 10750 676844 RtlAllocateHeap 10749->10750 10751 6810e2 10750->10751 10751->10732 10753 681bef 10752->10753 10756 681b50 10753->10756 10755 681c07 10755->9887 10757 676844 RtlAllocateHeap 10756->10757 10758 681b67 10757->10758 10759 681b9d 10758->10759 10760 676894 RtlReAllocateHeap 10758->10760 10763 681b80 10758->10763 10761 67686c RtlFreeHeap 10759->10761 10760->10758 10762 681ba5 10761->10762 10762->10755 10764 67686c RtlFreeHeap 10763->10764 10765 681be0 10764->10765 10765->10755 10767 6864b6 10766->10767 10783 6864ce 10767->10783 10818 686124 10767->10818 10768 6865f0 10768->9901 10769 67686c RtlFreeHeap 10769->10768 10783->10768 10783->10769 10785 683fa4 10784->10785 10788 683fd5 10785->10788 11079 683d98 10785->11079 10787 684066 10787->9898 10790 684508 10787->10790 10788->10787 10789 67686c RtlFreeHeap 10788->10789 10789->10787 10791 68452e 10790->10791 10809 684532 10791->10809 11082 682af8 10791->11082 10794 684684 10795 684692 10794->10795 10798 67686c RtlFreeHeap 10794->10798 10799 6846a0 10795->10799 10801 67686c RtlFreeHeap 10795->10801 10796 676844 RtlAllocateHeap 10800 684553 10796->10800 10797 67686c RtlFreeHeap 10797->10794 10798->10795 10799->9907 10810 6846a8 10799->10810 10802 679640 2 API calls 10800->10802 10800->10809 10801->10799 10803 684566 10802->10803 10804 67f82c RtlAllocateHeap 10803->10804 10805 68457f 10804->10805 10806 676844 RtlAllocateHeap 10805->10806 10805->10809 10807 68459d 10806->10807 10808 676844 RtlAllocateHeap 10807->10808 10807->10809 10808->10809 10809->10794 10809->10797 10811 6846b9 10810->10811 10812 6848ba 10811->10812 10813 679640 2 API calls 10811->10813 10812->9907 10814 6846c7 10813->10814 10814->10812 10815 676de8 RtlAllocateHeap 10814->10815 10816 6846e1 10815->10816 10816->10812 10817 67686c RtlFreeHeap 10816->10817 10817->10812 11050 6860a8 10818->11050 10820 686450 10822 68645e 10820->10822 10825 67686c RtlFreeHeap 10820->10825 10821 67686c RtlFreeHeap 10821->10820 10823 68646c 10822->10823 10826 67686c RtlFreeHeap 10822->10826 10827 68647a 10823->10827 10828 67686c RtlFreeHeap 10823->10828 10825->10822 10826->10823 10829 686488 10827->10829 10831 67686c RtlFreeHeap 10827->10831 10828->10827 10829->10783 10841 685d28 10829->10841 10830 676844 RtlAllocateHeap 10832 6861a8 10830->10832 10831->10829 10833 676844 RtlAllocateHeap 10832->10833 10839 68616c 10832->10839 10834 686249 10833->10834 10835 676844 RtlAllocateHeap 10834->10835 10834->10839 10836 686299 10835->10836 10837 676844 RtlAllocateHeap 10836->10837 10836->10839 10838 686344 10837->10838 10838->10839 10840 67686c RtlFreeHeap 10838->10840 10839->10820 10839->10821 10840->10839 10842 685d8f 10841->10842 10843 676de8 RtlAllocateHeap 10842->10843 10850 685da4 10842->10850 10848 685e1b 10843->10848 10844 68608f 10846 68609d 10844->10846 10847 67686c RtlFreeHeap 10844->10847 10845 67686c RtlFreeHeap 10845->10844 10846->10783 10851 684c60 10846->10851 10847->10846 10849 676de8 RtlAllocateHeap 10848->10849 10848->10850 10849->10850 10850->10844 10850->10845 10852 676844 RtlAllocateHeap 10851->10852 10856 684c93 10852->10856 10853 684e1b 10855 684e29 10853->10855 10858 67686c RtlFreeHeap 10853->10858 10854 67686c RtlFreeHeap 10854->10853 10859 684e37 10855->10859 10860 67686c RtlFreeHeap 10855->10860 10857 676844 RtlAllocateHeap 10856->10857 10863 684c9c 10856->10863 10861 684cc6 10857->10861 10858->10855 10859->10783 10864 685a84 10859->10864 10860->10859 10862 676844 RtlAllocateHeap 10861->10862 10861->10863 10862->10863 10863->10853 10863->10854 10865 676844 RtlAllocateHeap 10864->10865 10867 685add 10865->10867 10866 685caa 10869 685cb8 10866->10869 10871 67686c RtlFreeHeap 10866->10871 10900 685ae6 10867->10900 11056 68497c 10867->11056 10868 67686c RtlFreeHeap 10868->10866 10872 685cc6 10869->10872 10873 67686c RtlFreeHeap 10869->10873 10871->10869 10874 685cd4 10872->10874 10875 67686c RtlFreeHeap 10872->10875 10873->10872 10876 685ce2 10874->10876 10877 67686c RtlFreeHeap 10874->10877 10875->10874 10878 685cf0 10876->10878 10879 67686c RtlFreeHeap 10876->10879 10877->10876 10880 685cfe 10878->10880 10881 67686c RtlFreeHeap 10878->10881 10879->10878 10882 685d0c 10880->10882 10884 67686c RtlFreeHeap 10880->10884 10881->10880 10882->10783 10903 6857b4 10882->10903 10883 685b0e 10883->10900 11059 684a30 10883->11059 10884->10882 10886 685b3a 10887 67686c RtlFreeHeap 10886->10887 10886->10900 10888 685b5c 10887->10888 10889 684a30 RtlAllocateHeap 10888->10889 10890 685b75 10889->10890 10890->10900 11062 684aa8 10890->11062 10892 685bbd 10892->10900 11065 684c08 10892->11065 10895 676844 RtlAllocateHeap 10896 685bf2 10895->10896 10897 676de8 RtlAllocateHeap 10896->10897 10896->10900 10898 685c0a 10897->10898 10899 676844 RtlAllocateHeap 10898->10899 10898->10900 10901 685c33 10899->10901 10900->10866 10900->10868 10901->10900 10902 67686c RtlFreeHeap 10901->10902 10902->10901 10904 676844 RtlAllocateHeap 10903->10904 10905 6857fc 10904->10905 10906 676844 RtlAllocateHeap 10905->10906 10927 685805 10905->10927 10917 685814 10906->10917 10907 685a22 10909 685a30 10907->10909 10910 67686c RtlFreeHeap 10907->10910 10908 67686c RtlFreeHeap 10908->10907 10911 685a3e 10909->10911 10912 67686c RtlFreeHeap 10909->10912 10910->10909 10913 685a4c 10911->10913 10915 67686c RtlFreeHeap 10911->10915 10912->10911 10914 685a5a 10913->10914 10916 67686c RtlFreeHeap 10913->10916 10914->10783 10928 684e50 10914->10928 10915->10913 10916->10914 10918 676844 RtlAllocateHeap 10917->10918 10917->10927 10919 685943 10918->10919 10920 676de8 RtlAllocateHeap 10919->10920 10919->10927 10921 68595b 10920->10921 10922 67686c RtlFreeHeap 10921->10922 10921->10927 10923 6859a4 10922->10923 10924 676844 RtlAllocateHeap 10923->10924 10925 6859bd 10924->10925 10926 676de8 RtlAllocateHeap 10925->10926 10925->10927 10926->10927 10927->10907 10927->10908 10929 676844 RtlAllocateHeap 10928->10929 10931 684e98 10929->10931 10930 685065 10933 685073 10930->10933 10935 67686c RtlFreeHeap 10930->10935 10934 68497c RtlAllocateHeap 10931->10934 10965 684ea1 10931->10965 10932 67686c RtlFreeHeap 10932->10930 10936 685081 10933->10936 10937 67686c RtlFreeHeap 10933->10937 10945 684ec9 10934->10945 10935->10933 10938 68508f 10936->10938 10939 67686c RtlFreeHeap 10936->10939 10937->10936 10940 67686c RtlFreeHeap 10938->10940 10942 68509d 10938->10942 10939->10938 10940->10942 10941 6850ab 10944 6850b9 10941->10944 10946 67686c RtlFreeHeap 10941->10946 10942->10941 10943 67686c RtlFreeHeap 10942->10943 10943->10941 10947 6850c7 10944->10947 10948 67686c RtlFreeHeap 10944->10948 10945->10965 11070 684920 10945->11070 10946->10944 10947->10783 10967 6850e0 10947->10967 10948->10947 10950 684ef5 10951 67686c RtlFreeHeap 10950->10951 10950->10965 10952 684f17 10951->10952 10953 684920 RtlAllocateHeap 10952->10953 10954 684f30 10953->10954 10955 684aa8 RtlAllocateHeap 10954->10955 10954->10965 10956 684f78 10955->10956 10957 684c08 RtlAllocateHeap 10956->10957 10956->10965 10958 684f8d 10957->10958 10959 676844 RtlAllocateHeap 10958->10959 10958->10965 10960 684fad 10959->10960 10961 676de8 RtlAllocateHeap 10960->10961 10960->10965 10962 684fc5 10961->10962 10963 676844 RtlAllocateHeap 10962->10963 10962->10965 10964 684fee 10963->10964 10964->10965 10966 67686c RtlFreeHeap 10964->10966 10965->10930 10965->10932 10966->10964 10968 676844 RtlAllocateHeap 10967->10968 10978 685143 10968->10978 10969 68571b 10970 685729 10969->10970 10972 67686c RtlFreeHeap 10969->10972 10973 685737 10970->10973 10974 67686c RtlFreeHeap 10970->10974 10971 67686c RtlFreeHeap 10971->10969 10972->10970 10975 685745 10973->10975 10976 67686c RtlFreeHeap 10973->10976 10974->10973 10977 685753 10975->10977 10979 67686c RtlFreeHeap 10975->10979 10976->10975 10980 685761 10977->10980 10981 67686c RtlFreeHeap 10977->10981 10990 676844 RtlAllocateHeap 10978->10990 11007 68514c 10978->11007 10979->10977 10982 68576f 10980->10982 10983 67686c RtlFreeHeap 10980->10983 10981->10980 10984 68577d 10982->10984 10985 67686c RtlFreeHeap 10982->10985 10983->10982 10986 68578b 10984->10986 10987 67686c RtlFreeHeap 10984->10987 10985->10984 10988 685799 10986->10988 10989 67686c RtlFreeHeap 10986->10989 10987->10986 10988->10783 10989->10988 10991 6851ff 10990->10991 10992 68497c RtlAllocateHeap 10991->10992 10991->11007 10993 685230 10992->10993 10993->11007 11073 6848c4 10993->11073 10995 68525c 10996 67686c RtlFreeHeap 10995->10996 10995->11007 10997 68527e 10996->10997 10998 6848c4 RtlAllocateHeap 10997->10998 10999 685297 10998->10999 11000 684aa8 RtlAllocateHeap 10999->11000 10999->11007 11001 6852df 11000->11001 11002 684c08 RtlAllocateHeap 11001->11002 11001->11007 11003 6852f4 11002->11003 11004 676844 RtlAllocateHeap 11003->11004 11003->11007 11005 68533d 11004->11005 11006 676de8 RtlAllocateHeap 11005->11006 11005->11007 11008 685355 11006->11008 11007->10969 11007->10971 11008->11007 11009 676844 RtlAllocateHeap 11008->11009 11010 685381 11009->11010 11010->11007 11011 67686c RtlFreeHeap 11010->11011 11012 685427 11011->11012 11013 685435 11012->11013 11015 67686c RtlFreeHeap 11012->11015 11014 68544a 11013->11014 11016 67686c RtlFreeHeap 11013->11016 11017 68545f 11014->11017 11018 67686c RtlFreeHeap 11014->11018 11015->11013 11016->11014 11019 685474 11017->11019 11020 67686c RtlFreeHeap 11017->11020 11018->11017 11021 685489 11019->11021 11023 67686c RtlFreeHeap 11019->11023 11020->11019 11022 68549e 11021->11022 11024 67686c RtlFreeHeap 11021->11024 11025 6854b3 11022->11025 11026 67686c RtlFreeHeap 11022->11026 11023->11021 11024->11022 11027 6854c8 11025->11027 11028 67686c RtlFreeHeap 11025->11028 11026->11025 11029 676844 RtlAllocateHeap 11027->11029 11028->11027 11030 6854ef 11029->11030 11030->11007 11031 68497c RtlAllocateHeap 11030->11031 11032 685520 11031->11032 11032->11007 11076 6849c0 11032->11076 11034 68554c 11034->11007 11035 67686c RtlFreeHeap 11034->11035 11036 685579 11035->11036 11037 6849c0 RtlAllocateHeap 11036->11037 11038 685587 11037->11038 11038->11007 11039 684aa8 RtlAllocateHeap 11038->11039 11040 6855cf 11039->11040 11040->11007 11041 684c08 RtlAllocateHeap 11040->11041 11042 6855e4 11041->11042 11042->11007 11043 676844 RtlAllocateHeap 11042->11043 11044 68565b 11043->11044 11044->11007 11045 676de8 RtlAllocateHeap 11044->11045 11046 685673 11045->11046 11046->11007 11047 676844 RtlAllocateHeap 11046->11047 11048 68569c 11047->11048 11048->11007 11049 67686c RtlFreeHeap 11048->11049 11049->11007 11051 6860c8 11050->11051 11052 676934 RtlAllocateHeap 11051->11052 11055 686108 11051->11055 11053 6860f1 11052->11053 11054 676934 RtlAllocateHeap 11053->11054 11053->11055 11054->11055 11055->10830 11055->10839 11057 676844 RtlAllocateHeap 11056->11057 11058 684985 11057->11058 11058->10883 11060 676844 RtlAllocateHeap 11059->11060 11061 684a3c 11060->11061 11061->10886 11063 676844 RtlAllocateHeap 11062->11063 11064 684ab8 11063->11064 11064->10892 11066 676844 RtlAllocateHeap 11065->11066 11068 684c27 11066->11068 11067 676844 RtlAllocateHeap 11067->11068 11068->11067 11069 684c54 11068->11069 11069->10895 11069->10900 11071 676844 RtlAllocateHeap 11070->11071 11072 68492c 11071->11072 11072->10950 11074 676844 RtlAllocateHeap 11073->11074 11075 6848d0 11074->11075 11075->10995 11077 676844 RtlAllocateHeap 11076->11077 11078 6849cc 11077->11078 11078->11034 11080 676844 RtlAllocateHeap 11079->11080 11081 683db2 11080->11081 11081->10788 11084 682b21 11082->11084 11083 682b25 11083->10796 11084->11083 11086 682954 11084->11086 11087 68297b 11086->11087 11088 6797d8 4 API calls 11087->11088 11089 68298b 11088->11089 11090 6797d8 4 API calls 11089->11090 11091 68299f 11089->11091 11090->11091 11091->11083 11095 6866b6 11092->11095 11093 686714 11094 686ba4 11093->11094 11096 67686c RtlFreeHeap 11093->11096 11097 686bb2 11094->11097 11098 67686c RtlFreeHeap 11094->11098 11095->11093 11099 676de8 RtlAllocateHeap 11095->11099 11096->11094 11097->9914 11098->11097 11100 6867ec 11099->11100 11100->11093 11101 676844 RtlAllocateHeap 11100->11101 11101->11093 11103 6837a7 11102->11103 11104 682af8 4 API calls 11103->11104 11119 6837ab 11103->11119 11105 6837c2 11104->11105 11108 676844 RtlAllocateHeap 11105->11108 11106 6838e9 11107 6838f7 11106->11107 11110 67686c RtlFreeHeap 11106->11110 11111 683905 11107->11111 11113 67686c RtlFreeHeap 11107->11113 11112 6837cc 11108->11112 11109 67686c RtlFreeHeap 11109->11106 11110->11107 11111->9925 11114 67f82c RtlAllocateHeap 11112->11114 11112->11119 11113->11111 11115 6837e4 11114->11115 11116 676844 RtlAllocateHeap 11115->11116 11115->11119 11117 683802 11116->11117 11118 676844 RtlAllocateHeap 11117->11118 11117->11119 11118->11119 11119->11106 11119->11109 11121 680350 11120->11121 11122 676844 RtlAllocateHeap 11121->11122 11123 680371 11122->11123 11123->9955 11193 67aa20 11194 67aa43 11193->11194 11195 67ab2f 11194->11195 11196 676844 RtlAllocateHeap 11194->11196 11197 67ab03 11196->11197 11197->11195 11198 67686c RtlFreeHeap 11197->11198 11198->11195 11199 680220 11200 68011d 11199->11200 11201 68028d 11200->11201 11203 6769e0 RtlAllocateHeap 11200->11203 11212 67f6d8 NtSetInformationThread NtClose 11200->11212 11214 67b3c0 2 API calls 11200->11214 11215 67686c RtlFreeHeap 11200->11215 11202 67686c RtlFreeHeap 11201->11202 11204 68029b 11201->11204 11202->11204 11203->11200 11205 680305 11204->11205 11206 67e270 NtClose 11204->11206 11207 680313 11205->11207 11208 67686c RtlFreeHeap 11205->11208 11206->11205 11209 67686c RtlFreeHeap 11207->11209 11211 680321 11207->11211 11208->11207 11209->11211 11210 68032f 11211->11210 11213 67686c RtlFreeHeap 11211->11213 11212->11200 11213->11210 11214->11200 11215->11200 11216 67782a 11217 67782c CoInitialize 11216->11217 11218 677861 11217->11218 11173 67ac68 11174 67ac50 11173->11174 11175 67ac83 11174->11175 11177 676894 RtlReAllocateHeap 11174->11177 11180 67ac66 11174->11180 11176 67686c RtlFreeHeap 11175->11176 11176->11180 11177->11174 11178 67686c RtlFreeHeap 11179 67adb0 11178->11179 11180->11178 11228 67f032 11232 67efe7 11228->11232 11229 67f034 11231 67686c RtlFreeHeap 11229->11231 11230 67686c RtlFreeHeap 11230->11232 11238 67eff9 11231->11238 11232->11229 11232->11230 11237 67ece4 RtlAllocateHeap 11232->11237 11232->11238 11233 67f075 11234 67f14d 11233->11234 11235 67686c RtlFreeHeap 11233->11235 11236 67686c RtlFreeHeap 11234->11236 11235->11234 11239 67f155 11236->11239 11237->11232 11238->11233 11240 67ed30 2 API calls 11238->11240 11241 67f08f 11240->11241 11241->11233 11242 67f0ba 11241->11242 11244 67f0dc 11241->11244 11243 67686c RtlFreeHeap 11242->11243 11243->11233 11244->11233 11245 67686c RtlFreeHeap 11244->11245 11245->11233 11534 67ddf2 11537 67ddde 11534->11537 11535 67ddf0 11536 67de3d 11535->11536 11538 67686c RtlFreeHeap 11535->11538 11537->11535 11539 67db90 NtTerminateProcess 11537->11539 11540 67dc60 NtTerminateProcess 11537->11540 11538->11536 11539->11537 11540->11537 11246 67e430 11249 67e3c5 11246->11249 11247 67e40b 11248 67de48 4 API calls 11248->11249 11249->11247 11249->11248 11259 67f8f0 11261 67f8d2 11259->11261 11260 676844 RtlAllocateHeap 11260->11261 11261->11260 11263 67f8ee 11261->11263 11262 67fa12 11263->11262 11264 676844 RtlAllocateHeap 11263->11264 11264->11263 11181 684070 11188 6840b4 11181->11188 11182 6844e2 11184 6844f0 11182->11184 11185 67686c RtlFreeHeap 11182->11185 11183 67686c RtlFreeHeap 11183->11182 11186 6844fe 11184->11186 11187 67686c RtlFreeHeap 11184->11187 11185->11184 11187->11186 11189 676de8 RtlAllocateHeap 11188->11189 11192 6840d2 11188->11192 11190 684186 11189->11190 11191 676844 RtlAllocateHeap 11190->11191 11190->11192 11191->11192 11192->11182 11192->11183 11275 6796cd 11276 6796af 11275->11276 11277 679735 11276->11277 11278 67686c RtlFreeHeap 11276->11278 11278->11277 11630 681b82 11632 681b6a 11630->11632 11631 681b80 11633 67686c RtlFreeHeap 11631->11633 11632->11631 11634 681b9d 11632->11634 11636 676894 RtlReAllocateHeap 11632->11636 11635 681be0 11633->11635 11637 67686c RtlFreeHeap 11634->11637 11636->11632 11638 681ba5 11637->11638 11319 67d88c 11338 67cd04 11319->11338 11322 67d8c1 11324 67d9cc 11322->11324 11325 67686c RtlFreeHeap 11322->11325 11323 67cedc RtlAllocateHeap 11331 67d8cb 11323->11331 11326 67d9da 11324->11326 11327 67686c RtlFreeHeap 11324->11327 11325->11324 11328 67d9e8 11326->11328 11329 67686c RtlFreeHeap 11326->11329 11327->11326 11330 67d9f6 11328->11330 11332 67686c RtlFreeHeap 11328->11332 11329->11328 11331->11322 11333 676de8 RtlAllocateHeap 11331->11333 11332->11330 11334 67d921 11333->11334 11334->11322 11335 676844 RtlAllocateHeap 11334->11335 11336 67d974 11335->11336 11336->11322 11337 67cfcc 2 API calls 11336->11337 11337->11322 11339 676de8 RtlAllocateHeap 11338->11339 11340 67cd56 11339->11340 11372 67cd5f 11340->11372 11373 67c658 11340->11373 11342 67ce70 11345 67ce7e 11342->11345 11347 67686c RtlFreeHeap 11342->11347 11344 67686c RtlFreeHeap 11344->11342 11348 67ce8c 11345->11348 11351 67686c RtlFreeHeap 11345->11351 11347->11345 11352 67ce9a 11348->11352 11355 67686c RtlFreeHeap 11348->11355 11350 67c8c4 2 API calls 11354 67cd79 11350->11354 11351->11348 11353 67cea8 11352->11353 11356 67686c RtlFreeHeap 11352->11356 11358 67ceb6 11353->11358 11360 67686c RtlFreeHeap 11353->11360 11408 67c928 11354->11408 11355->11352 11356->11353 11361 67cec4 11358->11361 11362 67686c RtlFreeHeap 11358->11362 11359 67cd81 11413 67cb20 11359->11413 11360->11358 11363 67ced2 11361->11363 11364 67686c RtlFreeHeap 11361->11364 11362->11361 11363->11322 11363->11323 11364->11363 11368 67cd99 11369 676844 RtlAllocateHeap 11368->11369 11370 67ce19 11369->11370 11371 676894 RtlReAllocateHeap 11370->11371 11370->11372 11371->11372 11372->11342 11372->11344 11374 67a488 6 API calls 11373->11374 11375 67c68c 11374->11375 11376 676844 RtlAllocateHeap 11375->11376 11393 67c692 11375->11393 11377 67c6a4 11376->11377 11382 67a488 6 API calls 11377->11382 11377->11393 11378 67c832 11380 67c840 11378->11380 11383 67686c RtlFreeHeap 11378->11383 11379 67686c RtlFreeHeap 11379->11378 11381 67c84e 11380->11381 11384 67686c RtlFreeHeap 11380->11384 11399 67c858 11381->11399 11385 67c6c1 11382->11385 11383->11380 11384->11381 11386 676de8 RtlAllocateHeap 11385->11386 11385->11393 11387 67c6d6 11386->11387 11388 676de8 RtlAllocateHeap 11387->11388 11387->11393 11389 67c6ee 11388->11389 11390 676844 RtlAllocateHeap 11389->11390 11389->11393 11391 67c71f 11390->11391 11392 676844 RtlAllocateHeap 11391->11392 11391->11393 11397 67c748 11392->11397 11393->11378 11393->11379 11394 67a1c0 6 API calls 11394->11397 11396 67c7ff 11398 676894 RtlReAllocateHeap 11396->11398 11397->11393 11397->11394 11397->11396 11420 67a54c 11397->11420 11398->11393 11424 67a108 11399->11424 11402 676844 RtlAllocateHeap 11403 67c88d 11402->11403 11404 67c8b4 11403->11404 11405 67a108 2 API calls 11403->11405 11404->11350 11406 67c8a8 11405->11406 11406->11404 11407 67686c RtlFreeHeap 11406->11407 11407->11404 11409 676c98 RtlFreeHeap 11408->11409 11412 67c951 11409->11412 11410 676844 RtlAllocateHeap 11411 67c955 11410->11411 11411->11359 11412->11410 11412->11411 11414 67cbdb 11413->11414 11415 676844 RtlAllocateHeap 11414->11415 11416 67cc88 11414->11416 11415->11416 11417 67ccb4 11416->11417 11418 676844 RtlAllocateHeap 11417->11418 11419 67ccc6 11418->11419 11419->11368 11421 67a58f 11420->11421 11422 67b3c0 2 API calls 11421->11422 11423 67a5a9 11421->11423 11422->11423 11423->11397 11425 67a13f 11424->11425 11426 67b3c0 2 API calls 11425->11426 11427 67a159 11425->11427 11426->11427 11427->11402 11428 67d88a 11429 67d88c 11428->11429 11430 67cd04 13 API calls 11429->11430 11431 67d8b8 11430->11431 11432 67cedc RtlAllocateHeap 11431->11432 11435 67d8c1 11431->11435 11442 67d8cb 11432->11442 11433 67d9cc 11436 67686c RtlFreeHeap 11433->11436 11437 67d9da 11433->11437 11434 67686c RtlFreeHeap 11434->11433 11435->11433 11435->11434 11436->11437 11438 67d9e8 11437->11438 11439 67686c RtlFreeHeap 11437->11439 11440 67d9f6 11438->11440 11441 67686c RtlFreeHeap 11438->11441 11439->11438 11441->11440 11442->11435 11443 676de8 RtlAllocateHeap 11442->11443 11444 67d921 11443->11444 11444->11435 11445 676844 RtlAllocateHeap 11444->11445 11446 67d974 11445->11446 11446->11435 11447 67cfcc 2 API calls 11446->11447 11447->11435 11448 677e8a 11457 677e60 11448->11457 11449 677e72 NtQuerySystemInformation 11449->11457 11450 677ea5 11452 67686c RtlFreeHeap 11450->11452 11451 676894 RtlReAllocateHeap 11451->11457 11454 677ead 11452->11454 11453 67686c RtlFreeHeap 11455 677f40 Sleep 11453->11455 11455->11457 11456 676844 RtlAllocateHeap 11456->11457 11457->11449 11457->11450 11457->11451 11457->11453 11457->11456 11541 67ddca 11544 67dd81 11541->11544 11542 67ddf0 11543 67de3d 11542->11543 11545 67686c RtlFreeHeap 11542->11545 11546 676894 RtlReAllocateHeap 11544->11546 11547 67dd9d 11544->11547 11545->11543 11546->11544 11547->11542 11548 67db90 NtTerminateProcess 11547->11548 11549 67dc60 NtTerminateProcess 11547->11549 11548->11547 11549->11547 11279 67b6c8 11280 67b715 11279->11280 11281 67b71c RtlAdjustPrivilege 11280->11281 11282 67b71a 11280->11282 11281->11280 11281->11282 11639 67df94 11640 67de8f 11639->11640 11641 67dee2 11640->11641 11642 67686c RtlFreeHeap 11640->11642 11642->11640 11250 679811 11253 679813 11250->11253 11251 6797f9 NtQuerySystemInformation 11251->11253 11256 67980f 11251->11256 11252 67982c 11255 67686c RtlFreeHeap 11252->11255 11253->11251 11253->11252 11254 676894 RtlReAllocateHeap 11253->11254 11254->11253 11255->11256 11257 67686c RtlFreeHeap 11256->11257 11258 679872 11257->11258 11283 67fedb 11295 67fd52 11283->11295 11284 6769e0 RtlAllocateHeap 11284->11295 11285 67f59c NtSetInformationThread NtClose 11285->11295 11286 67ff71 11287 67ffdb 11286->11287 11288 67686c RtlFreeHeap 11286->11288 11289 67ffe9 11287->11289 11291 67686c RtlFreeHeap 11287->11291 11288->11287 11292 67fff7 11289->11292 11293 67686c RtlFreeHeap 11289->11293 11290 67f6d8 NtSetInformationThread NtClose 11290->11295 11291->11289 11293->11292 11294 67b3c0 2 API calls 11294->11295 11295->11284 11295->11285 11295->11286 11295->11290 11295->11294 11296 67686c RtlFreeHeap 11295->11296 11296->11295 11486 687556 11497 68752b 11486->11497 11487 687631 11490 687646 11487->11490 11491 687637 11487->11491 11488 687624 11489 68205c 13 API calls 11488->11489 11495 68762c 11489->11495 11493 68764c 11490->11493 11494 687656 11490->11494 11492 679bb0 14 API calls 11491->11492 11496 68763c 11492->11496 11498 6873ac 16 API calls 11493->11498 11499 68765c 11494->11499 11500 687675 11494->11500 11501 681ef4 107 API calls 11496->11501 11497->11487 11497->11488 11498->11495 11502 686fa0 4 API calls 11499->11502 11503 68767b 11500->11503 11504 687685 11500->11504 11501->11495 11508 687661 11502->11508 11505 68390c 4 API calls 11503->11505 11506 6876d8 11504->11506 11507 68768b 11504->11507 11505->11495 11510 6876de 11506->11510 11511 6876e7 11506->11511 11509 6876ba 11507->11509 11516 686da8 2 API calls 11507->11516 11512 686bbc 2 API calls 11508->11512 11509->11495 11517 6804b4 14 API calls 11509->11517 11514 686bbc 2 API calls 11510->11514 11513 67a338 2 API calls 11511->11513 11512->11495 11515 6876f8 11513->11515 11514->11495 11518 68771c 11515->11518 11519 67a338 2 API calls 11515->11519 11516->11509 11517->11495 11520 682428 9 API calls 11518->11520 11521 68770b 11519->11521 11520->11495 11521->11518 11522 687710 11521->11522 11523 679bb0 14 API calls 11522->11523 11524 687715 11523->11524 11525 687034 107 API calls 11524->11525 11525->11495

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 9 6804b4-680569 call 67164c call 676de8 18 68056b 9->18 19 680570-680589 call 676844 9->19 20 6808e9-6808f0 18->20 27 68058b 19->27 28 680590-6805a3 call 688c34 19->28 22 6808fe-680905 20->22 23 6808f2 20->23 25 680913-680917 22->25 26 680907 22->26 23->22 29 680919 25->29 30 680922-680926 25->30 26->25 27->20 37 6805aa-6805ba call 680338 28->37 38 6805a5 28->38 29->30 33 680928-68092b call 67686c 30->33 34 680930-680934 30->34 33->34 35 68093e-680942 34->35 36 680936-680939 call 67686c 34->36 41 68094c-680950 35->41 42 680944-680947 call 67686c 35->42 36->35 48 6805bc 37->48 49 6805c1-680612 GetTempFileNameW CreateFileW 37->49 38->20 46 68095a-680960 41->46 47 680952-680955 call 67686c 41->47 42->41 47->46 48->20 52 680619-68062e WriteFile 49->52 53 680614 49->53 54 680630 52->54 55 680635-68064e 52->55 53->20 54->20 57 680650-680655 55->57 58 680659-68065b 57->58 59 680657-680698 CreateProcessW 57->59 58->57 61 68069a 59->61 62 68069f-6806bc NtQueryInformationProcess 59->62 61->20 63 6806be 62->63 64 6806c3-6806e3 NtReadVirtualMemory 62->64 63->20 65 6806ea-6806fb call 676de8 64->65 66 6806e5 64->66 69 6806fd 65->69 70 680702-68077d call 6892f4 call 689348 call 68941c NtProtectVirtualMemory 65->70 66->20 69->20 77 68077f 70->77 78 680784-680797 NtWriteVirtualMemory 70->78 77->20 79 680799 78->79 80 68079e-6807fa 78->80 79->20 82 6807fc 80->82 83 680801-680822 NtDuplicateObject 80->83 82->20 84 680829-680891 CreateNamedPipeW 83->84 85 680824 83->85 86 680893 84->86 87 680895-6808ae ResumeThread ConnectNamedPipe 84->87 85->20 86->20 88 6808bf-6808dc 87->88 89 6808b0-6808bb 87->89 92 6808de 88->92 93 6808e0 88->93 89->88 90 6808bd 89->90 90->20 92->20 93->20
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: D
                                  • API String ID: 0-2746444292
                                  • Opcode ID: 8a83d7365fbc0f4d38258b9aaa29229ebe87ab59fe20c365f4a1331539e9a682
                                  • Instruction ID: 7dd2a23225e8a612497d1cbcec1535b44a2f55fd817786032e23cb75c1c68010
                                  • Opcode Fuzzy Hash: 8a83d7365fbc0f4d38258b9aaa29229ebe87ab59fe20c365f4a1331539e9a682
                                  • Instruction Fuzzy Hash: AFE16F71900218EFEFA1AF90CC09BEDBBBAFF04704F1045A6E209B6191D7755A89DF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 94 6791c8-67949b call 671240 * 5 RegCreateKeyExW 105 6794a1 94->105 106 67957d-679581 94->106 109 6794a8-6794c5 RegEnumKeyW 105->109 107 679583 106->107 108 67958c-6795ba RegCreateKeyExW 106->108 107->108 110 679615-679619 108->110 111 6795bc 108->111 112 6794c7 109->112 113 6794cc-6794f8 RegCreateKeyExW 109->113 117 679624-679627 110->117 118 67961b 110->118 114 6795c3-6795e0 RegEnumKeyW 111->114 112->106 115 679575-679578 113->115 116 6794fa-67951a RegSetValueExW 113->116 119 6795e4-6795fa OpenEventLogW 114->119 120 6795e2 114->120 115->109 121 679566-67956a 116->121 122 67951c-679538 RegSetValueExW 116->122 118->117 124 679610-679613 119->124 125 6795fc-679607 ClearEventLogW 119->125 120->110 121->115 123 67956c-67956f NtClose 121->123 122->121 126 67953a-679550 OpenEventLogW 122->126 123->115 124->114 125->124 126->121 127 679552-679560 ClearEventLogW CloseEventLog 126->127 127->121
                                  APIs
                                  • RegCreateKeyExW.KERNELBASE(80000002,?,00000000,00000000,00000000,0002011F,00000000,00000000,00000000,?,00000007,?,00000004,?,00000019,?), ref: 00679493
                                  • RegEnumKeyW.ADVAPI32(00000000,00000000,?,00000104), ref: 006794BA
                                  • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,0002011F,00000000,00000000,00000000), ref: 006794F0
                                  • RegSetValueExW.KERNELBASE(00000000,?,00000000,00000004,00000000,00000004), ref: 00679512
                                  • RegSetValueExW.KERNELBASE(00000000,?,00000000,00000001,?,00000064), ref: 00679530
                                  • OpenEventLogW.ADVAPI32(00000000,?), ref: 00679543
                                  • ClearEventLogW.ADVAPI32(00000000,00000000), ref: 00679557
                                  • CloseEventLog.ADVAPI32(00000000), ref: 00679560
                                  • NtClose.NTDLL(00000000), ref: 0067956F
                                  • RegCreateKeyExW.KERNELBASE(80000002,?,00000000,00000000,00000000,0002011F,00000000,00000000,00000000), ref: 006795B2
                                  • RegEnumKeyW.ADVAPI32(00000000,00000000,?,00000104), ref: 006795D5
                                  • OpenEventLogW.ADVAPI32(00000000,?), ref: 006795ED
                                  • ClearEventLogW.ADVAPI32(00000000,00000000), ref: 00679601
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Event$Create$ClearCloseEnumOpenValue
                                  • String ID:
                                  • API String ID: 1987712460-0
                                  • Opcode ID: d2f44f539a9952e9327f54464b8e854379854970b2808206d479f522b9e5d4a0
                                  • Instruction ID: 7356dcaa28624ba3ac3769c255cf42a2213273b588154a21ad479cde76b986df
                                  • Opcode Fuzzy Hash: d2f44f539a9952e9327f54464b8e854379854970b2808206d479f522b9e5d4a0
                                  • Instruction Fuzzy Hash: C7C125B8840306EFEB218F50D844F987B79FF05744F528189E6195F2B2D37A9A84CF56
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 128 676668-67667b 129 67667e-676683 128->129 129->129 130 676685-676699 call 67a094 129->130 133 6766a5-6766c7 CreateFileW 130->133 134 67669b-67669f 130->134 135 6767ca-6767cc 133->135 136 6766cd-6766cf 133->136 134->133 134->135 138 6767cf-6767d2 135->138 137 6766d2-6766fb NtAllocateVirtualMemory 136->137 141 676703 137->141 142 6766fd-676708 137->142 139 6767d4-6767ed NtFreeVirtualMemory 138->139 140 6767f3-6767f7 138->140 139->140 140->138 143 6767f9-6767fd 140->143 145 676733-676738 141->145 149 67671b-67671e 142->149 150 67670a-676719 142->150 147 6767ff-676802 NtClose 143->147 148 676808-67681f call 676550 DeleteFileW 143->148 146 67673b-676746 145->146 151 676754 146->151 152 676748-676752 146->152 147->148 160 676821 148->160 161 676828-67682c 148->161 154 67672d-676731 149->154 155 676720-676728 call 676628 149->155 150->154 156 676759-676760 151->156 152->156 154->137 154->145 155->154 159 676763-676779 WriteFile 156->159 162 67677d-67679a SetFilePointerEx 159->162 163 67677b 159->163 160->161 164 676836-67683f 161->164 165 67682e-676831 call 67686c 161->165 162->159 166 67679c-6767a3 162->166 163->166 165->164 168 6767a7-6767c5 166->168 169 6767a5 166->169 168->146 169->135
                                  APIs
                                  • CreateFileW.KERNELBASE(006777D6,40000000,00000003,00000000,00000003,80000000,00000000,006777D6,?,?,00000000,?), ref: 006766BA
                                  • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00010000,00001000,00000004,?,00000000,?), ref: 006766F3
                                  • WriteFile.KERNELBASE(000000FF,00000000,00010000,00010000,00000000,?,00000000,?), ref: 00676771
                                  • SetFilePointerEx.KERNELBASE(000000FF,00010000,?,00000000,00000001,?,00000000,?), ref: 0067678D
                                  • NtFreeVirtualMemory.NTDLL(000000FF,?,00010000,00008000,?,00000000,?), ref: 006767ED
                                  • NtClose.NTDLL(000000FF,?,00000000,?), ref: 00676802
                                  • DeleteFileW.KERNELBASE(?,000000FF,?,?,00000000,?), ref: 00676817
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$MemoryVirtual$AllocateCloseCreateDeleteFreePointerWrite
                                  • String ID: lug
                                  • API String ID: 3569053182-1058181662
                                  • Opcode ID: 987df3957886271c1cf62c833ac7c9942720610c4f121e12faa5ee1ff1294a4f
                                  • Instruction ID: 68675c278b2c9bb544d578c10a86f435d116dd0fab71deec5d545f972c96375d
                                  • Opcode Fuzzy Hash: 987df3957886271c1cf62c833ac7c9942720610c4f121e12faa5ee1ff1294a4f
                                  • Instruction Fuzzy Hash: FA517E71900609EFDF11CFA4CC84BEEBBBAEB04769F208225F519B6190D3B15E85CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 171 67a68c-67a70c GetVolumeNameForVolumeMountPointW FindFirstVolumeW 175 67a712-67a718 171->175 176 67a950-67a955 171->176 177 67a91f-67a941 175->177 178 67a71e-67a725 175->178 177->175 185 67a947 177->185 178->177 179 67a72b-67a742 GetVolumePathNamesForVolumeNameW 178->179 179->177 181 67a748-67a74c 179->181 181->177 182 67a752-67a756 181->182 182->177 184 67a75c-67a766 GetDriveTypeW 182->184 186 67a771-67a779 call 671564 184->186 187 67a768-67a76b 184->187 185->176 190 67a7f7-67a81d call 6716f0 CreateFileW 186->190 191 67a77b-67a7c3 186->191 187->177 187->186 195 67a916 190->195 196 67a823-67a849 DeviceIoControl 190->196 201 67a7c5-67a7de call 67a600 191->201 202 67a7e3-67a7e7 191->202 195->177 196->195 197 67a84f-67a856 196->197 199 67a8bc-67a8c3 197->199 200 67a858-67a864 197->200 199->195 203 67a8c5-67a8cc 199->203 204 67a866-67a86d 200->204 205 67a883-67a889 200->205 201->202 206 67a7f2 202->206 207 67a7e9 202->207 203->195 208 67a8ce-67a8d5 203->208 204->205 209 67a86f-67a876 204->209 211 67a88b-67a892 205->211 212 67a8a8-67a8b5 call 6716c0 call 67a600 205->212 206->177 207->206 208->195 213 67a8d7-67a8f1 call 6716c0 208->213 209->205 214 67a878-67a87f 209->214 211->212 216 67a894-67a89b 211->216 223 67a8ba 212->223 227 67a8f3-67a8fa 213->227 228 67a90a-67a911 call 67a600 213->228 214->205 219 67a881 214->219 216->212 220 67a89d-67a8a4 216->220 219->223 220->212 224 67a8a6 220->224 223->195 224->223 229 67a8fc-67a903 call 67a600 227->229 230 67a908 227->230 228->195 229->230 230->195
                                  APIs
                                  • GetVolumeNameForVolumeMountPointW.KERNELBASE(?,?,00000104), ref: 0067A6D6
                                  • FindFirstVolumeW.KERNELBASE(?,00000104), ref: 0067A6FF
                                  • GetVolumePathNamesForVolumeNameW.KERNELBASE(?,?,00000040,00000000), ref: 0067A73A
                                  • GetDriveTypeW.KERNELBASE(?), ref: 0067A75D
                                  • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?), ref: 0067A810
                                  • DeviceIoControl.KERNELBASE(000000FF,00070048,00000000,00000000,?,00000090,00000001,00000000), ref: 0067A841
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Volume$Name$ControlCreateDeviceDriveFileFindFirstMountNamesPathPointType
                                  • String ID: '
                                  • API String ID: 754975672-1997036262
                                  • Opcode ID: d70acae1ea209e632d0b9b3011b688e02601b7c77e795811a980c49ecd11ca20
                                  • Instruction ID: 3b7ed6410c2831bbad64d91eab39a81400804bb17568175dcd06ddec73856d62
                                  • Opcode Fuzzy Hash: d70acae1ea209e632d0b9b3011b688e02601b7c77e795811a980c49ecd11ca20
                                  • Instruction Fuzzy Hash: DE71AF30800614EEDB31AF90DC09BEE7BBEEF41712F15C096E20AA61A1D7705A95CF67
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 233 687034-687053 KiUserCallbackDispatcher 234 687059-687060 233->234 235 687111-687118 233->235 236 68708b-687092 234->236 237 687062-687088 call 676ae8 234->237 238 68711a-687133 CreateThread 235->238 239 687145-68717c CreateThread * 2 235->239 242 6870ce-6870d5 236->242 243 687094-68709b 236->243 237->236 238->239 244 687135-68713e 238->244 240 68717e call 677ca4 239->240 241 687183-68718a 239->241 240->241 247 68718c-6871a1 CreateThread 241->247 248 6871a4-6871ab 241->248 242->235 246 6870d7-6870de 242->246 243->242 250 68709d-6870c7 call 679c64 243->250 244->239 246->235 252 6870e0-68710a call 679c64 246->252 247->248 253 6871ad-6871b4 248->253 254 6871b6-6871dd call 67b734 call 67e1e8 248->254 250->242 252->235 253->254 258 68722e-687232 253->258 281 6871df-6871e6 254->281 282 687221-687225 254->282 260 687248-68724c 258->260 261 687234-68723f 258->261 267 68724e-687259 260->267 268 687262-687269 260->268 261->260 267->268 270 68726b-687276 NtTerminateThread 268->270 271 68727f-687286 268->271 270->271 275 687288-6872a1 CreateThread 271->275 276 6872b3-6872bd 271->276 275->276 279 6872a3-6872ac 275->279 287 687392-6873a0 call 681934 call 681d28 call 6816ac 276->287 288 6872c3-6872ca 276->288 279->276 284 6871e8-6871fc call 67a68c call 67e2b8 call 680a38 call 67e2b8 call 680be4 281->284 285 687201-687208 281->285 282->258 284->285 291 68720a-68720f call 67e2b8 call 67fc88 285->291 292 687214-68721c call 67e270 call 67e2b8 285->292 323 6873a5-6873a9 287->323 293 6872cc-6872e5 288->293 294 6872f7-6872fe 288->294 291->292 292->282 293->294 309 6872e7-6872f0 293->309 298 687339-687340 call 67b674 294->298 299 687300-687304 294->299 315 687349-68734b call 678230 298->315 316 687342-687347 call 678960 298->316 305 68731a-687334 call 676ae8 call 67da00 299->305 306 687306-687311 299->306 305->298 306->305 309->294 328 687350-687357 315->328 316->328 331 687359-687360 328->331 332 68736b-68738b call 679640 call 6804b4 328->332 331->332 335 687362-687369 331->335 338 687390 332->338 335->332 335->338 338->323
                                  APIs
                                  • KiUserCallbackDispatcher.NTDLL(00000043,00000000), ref: 0068704B
                                  • CreateThread.KERNELBASE(00000000,00000000,00678F68,00000000,00000000,00000000), ref: 00687129
                                  • CreateThread.KERNELBASE(00000000,00000000,00677468,00000000,00000000,00000000), ref: 00687154
                                  • CreateThread.KERNELBASE(00000000,00000000,0067782C,00000000,00000000,00000000), ref: 0068716C
                                  • CreateThread.KERNELBASE(00000000,00000000,00677E58,00000000,00000000,00000000), ref: 0068719B
                                  • NtTerminateThread.NTDLL(?,00000000), ref: 00687270
                                  • CreateThread.KERNELBASE(00000000,00000000,00679628,00000000,00000000,00000000), ref: 00687297
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Thread$Create$CallbackDispatcherTerminateUser
                                  • String ID:
                                  • API String ID: 1743520491-0
                                  • Opcode ID: 4afb9e80529d2e4be03c4302d5b3058f8f0f9b48e34623296ea6185495a75285
                                  • Instruction ID: 387fadcfe17efe19cd7adaacd46627fe146d8e4211291aa999ea14da132e640a
                                  • Opcode Fuzzy Hash: 4afb9e80529d2e4be03c4302d5b3058f8f0f9b48e34623296ea6185495a75285
                                  • Instruction Fuzzy Hash: 2191B570548700BFEB637FB0DC4EBAD3AABAB05705F246216F216655F2DBB44940CB25
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 341 67f308-67f31f GetFileAttributesW 342 67f321-67f32d call 67bbf4 341->342 343 67f37f-67f391 SetThreadPriority call 671564 341->343 348 67f371-67f37c call 67686c 342->348 349 67f32f-67f33d call 67a094 342->349 350 67f393-67f39a 343->350 351 67f39c 343->351 349->348 358 67f33f-67f343 349->358 354 67f3a3-67f3b6 call 676844 350->354 351->354 362 67f3bd-67f3fd call 67c19c call 67f164 call 67686c FindFirstFileExW 354->362 360 67f345-67f349 358->360 361 67f34b-67f36e call 67c19c call 677290 call 67ef6c 358->361 360->348 360->361 375 67f535-67f54a call 67686c 362->375 376 67f403-67f411 362->376 380 67f54e-67f562 375->380 381 67f54c-67f56a call 67686c 375->381 382 67f416-67f41f 376->382 380->362 389 67f56f-67f572 381->389 384 67f421-67f427 382->384 385 67f429 382->385 384->385 387 67f42e-67f438 384->387 388 67f514-67f526 FindNextFileW 385->388 390 67f43f-67f446 387->390 391 67f43a 387->391 388->382 392 67f52c-67f52f FindClose 388->392 393 67f453-67f457 390->393 394 67f448-67f44c 390->394 391->388 392->375 396 67f481-67f489 call 67f21c 393->396 397 67f459-67f461 call 67f2b4 393->397 394->393 395 67f44e 394->395 395->388 404 67f490-67f497 396->404 405 67f48b 396->405 402 67f463-67f47a call 67f1c8 397->402 403 67f47c 397->403 402->403 403->388 407 67f4a4-67f4ae call 67bbf4 404->407 408 67f499-67f4a0 404->408 405->388 413 67f4b2-67f4dc call 67f1c8 call 677290 call 67ef6c 407->413 414 67f4b0 407->414 408->407 410 67f4a2 408->410 410->388 413->388 421 67f4de-67f4e0 413->421 414->388 422 67f4e2-67f507 421->422 423 67f509 421->423 422->388 423->388
                                  APIs
                                  • GetFileAttributesW.KERNELBASE(?), ref: 0067F314
                                  • SetThreadPriority.KERNELBASE(000000FE,00000002), ref: 0067F383
                                  • FindFirstFileExW.KERNELBASE(?,00000000,?,00000000,00000000,00000000,?,?,?,00695180,003D0900), ref: 0067F3F0
                                  • FindNextFileW.KERNELBASE(000000FF,?), ref: 0067F51E
                                  • FindClose.KERNELBASE(000000FF), ref: 0067F52F
                                    • Part of subcall function 0067A094: FindFirstFileExW.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 0067A0B6
                                    • Part of subcall function 0067A094: FindClose.KERNELBASE(000000FF), ref: 0067A0DC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirst$AttributesNextPriorityThread
                                  • String ID:
                                  • API String ID: 3755735135-0
                                  • Opcode ID: 7a0d606b55627169b7fb3cecfc47fd2e39ba999bfc771b86aaa16f4fa350dce8
                                  • Instruction ID: 9f9fb89df4121da0e979c57bab68514d8f1c966ccc38b9aa04b54d5eaf023c4e
                                  • Opcode Fuzzy Hash: 7a0d606b55627169b7fb3cecfc47fd2e39ba999bfc771b86aaa16f4fa350dce8
                                  • Instruction Fuzzy Hash: 68617C30804209EFDF21AF60DC45FEEBBB7AF05314F10817AF919A52A2D7315A91DB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 445 67766c-677693 447 677822-677827 445->447 448 677699-6776ad call 676844 445->448 451 677806-67780a 448->451 452 6776b3-677700 call 6716c0 FindFirstFileExW 448->452 453 677814-677818 451->453 454 67780c-67780f call 67686c 451->454 452->451 462 677706-67770f 452->462 453->447 456 67781a-67781d call 67686c 453->456 454->453 456->447 463 6777e5-6777f7 FindNextFileW 462->463 464 677715-67771b 462->464 463->462 466 6777fd 463->466 464->463 465 677721-67774f call 676844 464->465 465->463 471 677755-677791 GetFileAttributesW 465->471 466->451 475 677793-67779e 471->475 476 6777ce-6777d1 call 676668 471->476 481 6777a2-6777ad 475->481 482 6777a0 475->482 478 6777d6-6777de call 67686c 476->478 478->463 485 6777af-6777bb call 67766c 481->485 486 6777b9 481->486 484 6777bd-6777cc call 67686c 482->484 484->463 485->475 486->484
                                  APIs
                                    • Part of subcall function 00676844: RtlAllocateHeap.NTDLL(?,00000008,00000000,?,00687764,?,00000000,00000000), ref: 00676860
                                  • FindFirstFileExW.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 006776F3
                                  • GetFileAttributesW.KERNELBASE(00000000), ref: 00677786
                                  • FindNextFileW.KERNELBASE(000000FF,?), ref: 006777EF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Find$AllocateAttributesFirstHeapNext
                                  • String ID: lug
                                  • API String ID: 2400493143-1058181662
                                  • Opcode ID: 512c005db81eb8d3a9cbb80a384c0215ca334fe786ef74e10de29c96507c832e
                                  • Instruction ID: 57733ff4a080e3e7e3d32797793672d75578d736614d50e64f41995751c369b9
                                  • Opcode Fuzzy Hash: 512c005db81eb8d3a9cbb80a384c0215ca334fe786ef74e10de29c96507c832e
                                  • Instruction Fuzzy Hash: D9416A30C04118EBDF129FA0DC49BEEBBBABF00706F008465E41AA11B1E7765A64DF96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 492 675c24-675c35 493 675c37-675c51 call 675aec 492->493 494 675c56-675c5d 492->494 493->494 495 675c5f-675c79 call 675aec 494->495 496 675c7e-675c85 494->496 495->496 499 675c87-675ca1 call 675aec 496->499 500 675ca6-675cad call 671658 496->500 499->500 506 675cb2-675cb6 500->506 507 675cdd-675ce0 506->507 508 675cb8-675ce2 call 671240 506->508 507->506 512 675ce9-675d04 FindFirstFileW 508->512 513 675d06-675d17 call 6711c4 512->513 514 675d54-675d58 512->514 522 675d37-675d49 FindNextFileW 513->522 523 675d19-675d2b FindClose call 675a20 513->523 516 675d5c-675d66 514->516 517 675d5a-675d9c 514->517 520 675d8b-675d8e 516->520 521 675d68-675d6d 516->521 520->512 524 675d86-675d89 521->524 525 675d6f-675d84 call 671240 521->525 522->513 527 675d4b-675d4e FindClose 522->527 529 675d30-675d34 523->529 524->521 525->520 527->514
                                  APIs
                                  • FindFirstFileW.KERNELBASE(?,?,?,00000004,?), ref: 00675CF7
                                  • FindClose.KERNELBASE(000000FF,?,00000000), ref: 00675D1C
                                  • FindNextFileW.KERNELBASE(000000FF,?,?,00000000), ref: 00675D41
                                  • FindClose.KERNELBASE(000000FF), ref: 00675D4E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$CloseFile$FirstNext
                                  • String ID:
                                  • API String ID: 1164774033-0
                                  • Opcode ID: debdd132ba7acd0c20e3285e3b6a59a1398e0a45a8d0d667faf2fbf6cd346334
                                  • Instruction ID: 2ed58ad637580b63844c2a04f4b961a62ac3929926c55a03135afc8493bf4bd3
                                  • Opcode Fuzzy Hash: debdd132ba7acd0c20e3285e3b6a59a1398e0a45a8d0d667faf2fbf6cd346334
                                  • Instruction Fuzzy Hash: 45419F70800A08DFCB629F70DC897997BBEEB10702F60D1ABE40B9A661D7B549C5CB55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 586 67b734-67b740 call 6768c0 589 67b784-67b785 586->589 590 67b742-67b77f NtSetInformationProcess * 3 call 6768ec 586->590 590->589
                                  APIs
                                  • NtSetInformationProcess.NTDLL(000000FF,00000021,00000000,00000004,00000004,00000000,006871D1), ref: 0067B751
                                  • NtSetInformationProcess.NTDLL(000000FF,00000012,00000000,00000002), ref: 0067B763
                                  • NtSetInformationProcess.NTDLL(000000FF,0000000C,00000000,00000004), ref: 0067B778
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InformationProcess
                                  • String ID:
                                  • API String ID: 1801817001-0
                                  • Opcode ID: 83d313410c139893abfcc441530e44578d28f5e5de12269774bfed4da7e074eb
                                  • Instruction ID: 569a5e47b445da4eb91b8451d55cb6a9d7cf94f1ab788a34843ab68a04f2ba7b
                                  • Opcode Fuzzy Hash: 83d313410c139893abfcc441530e44578d28f5e5de12269774bfed4da7e074eb
                                  • Instruction Fuzzy Hash: 4EF01CB1240610AFEB61AB94DCC6F51379D9B05B21F100361B332DD1D6D7B084448BA3
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 592 67b470-67b49c call 675aec 595 67b4c6-67b4ca 592->595 596 67b49e-67b4b9 NtProtectVirtualMemory 592->596 596->595 597 67b4bb-67b4bf 596->597 597->595
                                  APIs
                                  • NtProtectVirtualMemory.NTDLL(000000FF,00000000,00000020,00000040,?,9870B143), ref: 0067B4B1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MemoryProtectVirtual
                                  • String ID:
                                  • API String ID: 2706961497-3916222277
                                  • Opcode ID: 2b59c99fb36dd86048be8860dcc3ee65e79bf0bc559d6a93724485b5a66bf456
                                  • Instruction ID: f214ea4d5a0ec9bc19644701bd7c8e8290dfb933f7617127f86536d0811fcb43
                                  • Opcode Fuzzy Hash: 2b59c99fb36dd86048be8860dcc3ee65e79bf0bc559d6a93724485b5a66bf456
                                  • Instruction Fuzzy Hash: 30F05E71900308FBDB10CFA4DD89BDEB7BCEB04725F6082A5A529E72D1E7755B048B64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • NtClose.NTDLL(?,00680A30,00000000), ref: 0067E2A1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close
                                  • String ID: 0h
                                  • API String ID: 3535843008-1655455074
                                  • Opcode ID: 16b490a5146de621d8dc8a3a8e22b404563e1733d895483b8b80aad01a88a2aa
                                  • Instruction ID: 5bfb7768e96c7cce4bf4769331d938eb627a1a307acf696b42d71131e6863fe0
                                  • Opcode Fuzzy Hash: 16b490a5146de621d8dc8a3a8e22b404563e1733d895483b8b80aad01a88a2aa
                                  • Instruction Fuzzy Hash: 73E04F31250B04EFDB227F85EC89F55379FF714B01F505126F716519A1C7B25884D715
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateThread
                                  • String ID:
                                  • API String ID: 2422867632-0
                                  • Opcode ID: 41d632c417020bc690d0bda8a8a839c98093f2c2f56f9e9da8e92d44405d085e
                                  • Instruction ID: 08874eb39b540bb307e30c79ac5b7c83060f49b0827a7b9e7c329f464a4d2eb8
                                  • Opcode Fuzzy Hash: 41d632c417020bc690d0bda8a8a839c98093f2c2f56f9e9da8e92d44405d085e
                                  • Instruction Fuzzy Hash: B1618E3090060AEFEF51AFD0DC45BEEBB7BEF04305F204626E505662A1D7756A49CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                    • Part of subcall function 00676844: RtlAllocateHeap.NTDLL(?,00000008,00000000,?,00687764,?,00000000,00000000), ref: 00676860
                                  • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 00677E7E
                                  • Sleep.KERNELBASE(000007D0,?), ref: 00677F45
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeapInformationQuerySleepSystem
                                  • String ID:
                                  • API String ID: 3184523392-0
                                  • Opcode ID: b8f3b7a52f9409765832a0868f5f5ef8ac357fe81019b7783d74298508b97dbe
                                  • Instruction ID: baa31424592340e11eae45c908c54f8405f9ab52f9bec08daa88e99106f6cb79
                                  • Opcode Fuzzy Hash: b8f3b7a52f9409765832a0868f5f5ef8ac357fe81019b7783d74298508b97dbe
                                  • Instruction Fuzzy Hash: AE214171D04608EFDF419FA0DC44BDEBBBAEF04304F20C099E519AA261E7769A45DFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000000), ref: 00678F8A
                                    • Part of subcall function 006797D8: NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 00679805
                                    • Part of subcall function 00679880: NtClose.NTDLL(00000000), ref: 00679971
                                  • NtSetInformationThread.NTDLL(000000FE,00000005,00000000,00000004,00000000,00000002,00000002,D1F935A5), ref: 00678FC1
                                    • Part of subcall function 00678DA8: OpenSCManagerW.ADVAPI32(00000000,00000000,00000001,7DDDCD9C), ref: 00678DE6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Information$AdjustCloseManagerOpenPrivilegeQuerySystemThread
                                  • String ID:
                                  • API String ID: 1903255304-0
                                  • Opcode ID: 5fc753655cd0867a6a18051433ceb76a8525abfe7c2b3491b7e5c630670397bd
                                  • Instruction ID: d7d8b018466221cc6c0a52a5aeab5df5fc9e008a2367818b569e52480c4f3044
                                  • Opcode Fuzzy Hash: 5fc753655cd0867a6a18051433ceb76a8525abfe7c2b3491b7e5c630670397bd
                                  • Instruction Fuzzy Hash: AA218170950308BEEB60AFA0CC4EFDE7AFAAF05715F108558B519A62D5EB708A80D771
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000000), ref: 00678F8A
                                    • Part of subcall function 006797D8: NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 00679805
                                    • Part of subcall function 00679880: NtClose.NTDLL(00000000), ref: 00679971
                                  • NtSetInformationThread.NTDLL(000000FE,00000005,00000000,00000004,00000000,00000002,00000002,D1F935A5), ref: 00678FC1
                                    • Part of subcall function 00678DA8: OpenSCManagerW.ADVAPI32(00000000,00000000,00000001,7DDDCD9C), ref: 00678DE6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Information$AdjustCloseManagerOpenPrivilegeQuerySystemThread
                                  • String ID:
                                  • API String ID: 1903255304-0
                                  • Opcode ID: 78f8e0d50b07647fb6c9a93f988e71d8dde6c8edc25bd9ec1937166e4830bc98
                                  • Instruction ID: ac8026a1ddb6a910ad18ecfc57c895cd2f78c393ca18affb7a42673c2b6a7020
                                  • Opcode Fuzzy Hash: 78f8e0d50b07647fb6c9a93f988e71d8dde6c8edc25bd9ec1937166e4830bc98
                                  • Instruction Fuzzy Hash: 07219370950308BEEF60AFA0CC4EFDE7AFAAF05715F108558B509A62D5EB708A80D771
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                    • Part of subcall function 00677590: FindFirstFileExW.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 006775FF
                                    • Part of subcall function 00677590: FindClose.KERNELBASE(000000FF), ref: 0067765C
                                  • FindFirstFileExW.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 0067751F
                                  • FindNextFileW.KERNELBASE(000000FF,?), ref: 00677576
                                    • Part of subcall function 0067766C: FindFirstFileExW.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 006776F3
                                    • Part of subcall function 0067766C: GetFileAttributesW.KERNELBASE(00000000), ref: 00677786
                                    • Part of subcall function 0067766C: FindNextFileW.KERNELBASE(000000FF,?), ref: 006777EF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileFind$First$Next$AttributesClose
                                  • String ID:
                                  • API String ID: 95010735-0
                                  • Opcode ID: c04c79a85c4856fcd2ff85d6e8e314df32fcbf5730d76a023c4f92f00d6c9fae
                                  • Instruction ID: c7cdf463a162b95de078044b08b2a2a00548aab0c63c03405bc6a99fa77749aa
                                  • Opcode Fuzzy Hash: c04c79a85c4856fcd2ff85d6e8e314df32fcbf5730d76a023c4f92f00d6c9fae
                                  • Instruction Fuzzy Hash: 08212CB194020DABDB10EFA0DD4DFD9B7BDAB14301F4044A6BA0DE6191EB31AB54CF66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • FindFirstFileExW.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 006775FF
                                  • FindClose.KERNELBASE(000000FF), ref: 0067765C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$CloseFileFirst
                                  • String ID:
                                  • API String ID: 2295610775-0
                                  • Opcode ID: e81931d5dd18e545c420636d53ae23706d0cbfb6785dc2dd3069db4f7df871ff
                                  • Instruction ID: d7067a71332665a5a2133f30a3ec75b7656d4cac52a0dc03c11e7644f23a0528
                                  • Opcode Fuzzy Hash: e81931d5dd18e545c420636d53ae23706d0cbfb6785dc2dd3069db4f7df871ff
                                  • Instruction Fuzzy Hash: C1213EB0804608EFDB119FA4DD0CB9CBBBEFB04705F1081A1E909AB261E7719B98DF55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 00677E7E
                                  • Sleep.KERNELBASE(000007D0,?), ref: 00677F45
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InformationQuerySleepSystem
                                  • String ID:
                                  • API String ID: 3518162127-0
                                  • Opcode ID: eb681ec2fba80ad4aa3b945c77941a8c247c401de04ea82cc7988af378220300
                                  • Instruction ID: b036071453579de713673be5a91da510fe6e8c833b2b1ef75702ca16549fc68f
                                  • Opcode Fuzzy Hash: eb681ec2fba80ad4aa3b945c77941a8c247c401de04ea82cc7988af378220300
                                  • Instruction Fuzzy Hash: EB211A71904608EFDF41CFA0C944BDDBBBAFF04304F20C099E909AA261D7769A45DFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 00677E7E
                                  • Sleep.KERNELBASE(000007D0,?), ref: 00677F45
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InformationQuerySleepSystem
                                  • String ID:
                                  • API String ID: 3518162127-0
                                  • Opcode ID: fc0cabdce1ee5411bb5542273f96ea202bb772d737b74c8dbabffe019cbfef86
                                  • Instruction ID: b036071453579de713673be5a91da510fe6e8c833b2b1ef75702ca16549fc68f
                                  • Opcode Fuzzy Hash: fc0cabdce1ee5411bb5542273f96ea202bb772d737b74c8dbabffe019cbfef86
                                  • Instruction Fuzzy Hash: EB211A71904608EFDF41CFA0C944BDDBBBAFF04304F20C099E909AA261D7769A45DFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • CreateThread.KERNELBASE(00000000,00000000,0067DE78,00000000,00000000,00000000,?,00000000), ref: 0067E239
                                    • Part of subcall function 0067B444: NtSetInformationThread.NTDLL(00000000,?,00000000,00000000,?,00676541,00000000,0069586C,00676390,00000000,00000000,00695858,00676378,00000000,00000000,0069584C), ref: 0067B465
                                  • NtClose.NTDLL(00000000,00000000,?,00000000), ref: 0067E24C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Thread$CloseCreateInformation
                                  • String ID:
                                  • API String ID: 3895992022-0
                                  • Opcode ID: b3d6cb20ed01d08dd66373f03585b1d3da0113c475fe551e18dee90ae5aa6340
                                  • Instruction ID: 0a99a0afb9f94b619e2345adbb603defdd997750d30deb5ebf614e2ecc441c8b
                                  • Opcode Fuzzy Hash: b3d6cb20ed01d08dd66373f03585b1d3da0113c475fe551e18dee90ae5aa6340
                                  • Instruction Fuzzy Hash: 4C01FE70740B14FBE3526F545C85BDD73AEEF08B11F204252FA1AA62D2EBB05E448755
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • NtSetInformationThread.NTDLL(000000FE,00000005,00000008,00000004), ref: 0067B424
                                  • NtClose.NTDLL(00000008), ref: 0067B432
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseInformationThread
                                  • String ID:
                                  • API String ID: 3167811113-0
                                  • Opcode ID: 68d0caf9adc1525ad90b6fc828a6198a113e36e7555b7913f97597e2aa672141
                                  • Instruction ID: 84f3586353a0b1f752ea0f69dca785a2b3e9df959667b095ce9eb2a739cdf3c1
                                  • Opcode Fuzzy Hash: 68d0caf9adc1525ad90b6fc828a6198a113e36e7555b7913f97597e2aa672141
                                  • Instruction Fuzzy Hash: 5A018F70500208EFE700CF50DC89FAABBEDFB00705F50D165E9099B2A1E3B58A48DBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • GetLogicalDriveStringsW.KERNELBASE(00000104,?), ref: 0067747F
                                  • GetDriveTypeW.KERNELBASE(?), ref: 00677495
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Drive$LogicalStringsType
                                  • String ID:
                                  • API String ID: 1630765265-0
                                  • Opcode ID: f7929433183ed9e091ae0372f8029a3c337f99ee169936f6a2b4e06bd836a676
                                  • Instruction ID: 787aff6f4befc49a2b9c6bca396317f50acbe17f64e67364d410b76c71f0ab31
                                  • Opcode Fuzzy Hash: f7929433183ed9e091ae0372f8029a3c337f99ee169936f6a2b4e06bd836a676
                                  • Instruction Fuzzy Hash: AFE02B325057199BDB30AAD49CC59EB77DECB11300F004161EE09D2115CB54AD86C6E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • FindFirstFileExW.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 0067A0B6
                                  • FindClose.KERNELBASE(000000FF), ref: 0067A0DC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$CloseFileFirst
                                  • String ID:
                                  • API String ID: 2295610775-0
                                  • Opcode ID: 99542a9c114d1c291dd55e4f3be4e76fb84f1d7ef73e69b54d454a562b396d3f
                                  • Instruction ID: e3170eda22f31a0e35174896e144500fa0af1b22b8cec73fcfe670509ee13388
                                  • Opcode Fuzzy Hash: 99542a9c114d1c291dd55e4f3be4e76fb84f1d7ef73e69b54d454a562b396d3f
                                  • Instruction Fuzzy Hash: 45F03A74901208EFDB20DFA4CC49B9CBBB5EB44310F208296A818AB3A0D7716F91DF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close
                                  • String ID:
                                  • API String ID: 3535843008-0
                                  • Opcode ID: cce39cdb845a108a1b2fe97420b8c29ba5258818e115d5b0b03e4eed07e90640
                                  • Instruction ID: 7f5923c312a08d103e94daaeb30ead99701176ced817d95ebc48656bfe14d504
                                  • Opcode Fuzzy Hash: cce39cdb845a108a1b2fe97420b8c29ba5258818e115d5b0b03e4eed07e90640
                                  • Instruction Fuzzy Hash: AC31B870800208EFEB01CF94D848BDEBBF9FB04719F648159E515BA290D7B69A49DFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                    • Part of subcall function 00676844: RtlAllocateHeap.NTDLL(?,00000008,00000000,?,00687764,?,00000000,00000000), ref: 00676860
                                  • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 00679805
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeapInformationQuerySystem
                                  • String ID:
                                  • API String ID: 3114120137-0
                                  • Opcode ID: aeb933337e81ef8f0f14b4999294bb26056136e0d5a70269f3acaf3d2c37a032
                                  • Instruction ID: 1687975fbbe1890385fc640b66ed0795f6c5e3f4bb0af0e0ec787a0faf3bbb6a
                                  • Opcode Fuzzy Hash: aeb933337e81ef8f0f14b4999294bb26056136e0d5a70269f3acaf3d2c37a032
                                  • Instruction Fuzzy Hash: 42118F31D00108FBCF11DF95D880ADDBBBAEF05310F20C5A6EA18AA251E7325A50DFA6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • LdrLoadDll.NTDLL(00000000,00000000,00000000,?), ref: 00675A71
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Load
                                  • String ID:
                                  • API String ID: 2234796835-0
                                  • Opcode ID: 7f39bf1177e559c09a130c7012c0d49db9e5600b4d307e25c6aa0d42082d78e5
                                  • Instruction ID: 22a9eeede4e7e2c09a2713b0d27ec2cc589f53120537e5e5ede38efc8dde034d
                                  • Opcode Fuzzy Hash: 7f39bf1177e559c09a130c7012c0d49db9e5600b4d307e25c6aa0d42082d78e5
                                  • Instruction Fuzzy Hash: 29F03C3690020DFADF10EE94D848FDEB7BDEB04314F4081A6A91AA7140E670AB499BA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • NtTerminateProcess.NTDLL(00677DB8,00000000), ref: 0067DCC3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessTerminate
                                  • String ID:
                                  • API String ID: 560597551-0
                                  • Opcode ID: d56c991ab4bf0bd30a58b9cc92bf9084a4a50be0096a79e857e0ac7c9a28331b
                                  • Instruction ID: ec8ab69b30df16c35d8d16531642adeb83a5a334b596081cbb45e267ab4cff1d
                                  • Opcode Fuzzy Hash: d56c991ab4bf0bd30a58b9cc92bf9084a4a50be0096a79e857e0ac7c9a28331b
                                  • Instruction Fuzzy Hash: 2101E8B0900208EFDB01CF90C848BDEBBB8FB04318F208199E505AB291D7B7964ACFD1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • NtQueryInformationToken.NTDLL(?,00000001,?,0000002C,?), ref: 0067B69E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InformationQueryToken
                                  • String ID:
                                  • API String ID: 4239771691-0
                                  • Opcode ID: 3abc180f988349ef00ae72a7b6462ff48fa30ce6353149cdf5e6581b9949bd64
                                  • Instruction ID: 5a392d9f3d87e319fed3dce1183cf2b00b8847bd5e0a8e77e406d80a8cd769f9
                                  • Opcode Fuzzy Hash: 3abc180f988349ef00ae72a7b6462ff48fa30ce6353149cdf5e6581b9949bd64
                                  • Instruction Fuzzy Hash: C0F01D31601108AFEB50DE94DD85B9AB7BEEB04B15FA04266FA19D22A0E7619E548740
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 00679805
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InformationQuerySystem
                                  • String ID:
                                  • API String ID: 3562636166-0
                                  • Opcode ID: e45e407f499fb212f141d176520b749d4bc79a2bc53ccc5a921f6616626b3f07
                                  • Instruction ID: 79cacb631541ef0137c326f922bb9a7308dea40018efce514ec53ad99407e7b8
                                  • Opcode Fuzzy Hash: e45e407f499fb212f141d176520b749d4bc79a2bc53ccc5a921f6616626b3f07
                                  • Instruction Fuzzy Hash: FDF03A35904108EBDF51DF95D880BECB7FAEF16301F20C4A6EA09AA251D3719A50EF62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 00679805
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InformationQuerySystem
                                  • String ID:
                                  • API String ID: 3562636166-0
                                  • Opcode ID: 4034f5b4bb0b4e55219c5d6f4efa23a78660e5b15a9a3b74fecedd376df9d8fc
                                  • Instruction ID: 79cacb631541ef0137c326f922bb9a7308dea40018efce514ec53ad99407e7b8
                                  • Opcode Fuzzy Hash: 4034f5b4bb0b4e55219c5d6f4efa23a78660e5b15a9a3b74fecedd376df9d8fc
                                  • Instruction Fuzzy Hash: FDF03A35904108EBDF51DF95D880BECB7FAEF16301F20C4A6EA09AA251D3719A50EF62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • NtSetInformationThread.NTDLL(00000000,?,00000000,00000000,?,00676541,00000000,0069586C,00676390,00000000,00000000,00695858,00676378,00000000,00000000,0069584C), ref: 0067B465
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InformationThread
                                  • String ID:
                                  • API String ID: 4046476035-0
                                  • Opcode ID: 0964c49be579ab9412e193b75120a96fcea9b95a981251a4bafff1e0d6dc04e3
                                  • Instruction ID: fe645d3345f0a10dab00cb14279a108481cba8c89ac831464391eabeafae9cef
                                  • Opcode Fuzzy Hash: 0964c49be579ab9412e193b75120a96fcea9b95a981251a4bafff1e0d6dc04e3
                                  • Instruction Fuzzy Hash: DAD0A7325A020CAED7109F54DC15FF633DED711702F109125B20BC6095D7B0A4D0C668
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryTextWindow$CreateDialogFreeLoad$BrushColorCommandErrorLastLineMenuPixelProc$ButtonCapsCheckedCountDeviceExitHeapImageItemMessageNamePaletteParamProcessSelectSolidTick
                                  • String ID:
                                  • API String ID: 2067994032-0
                                  • Opcode ID: 532d8e3ab3c1046f2ed5abf0160f1bbbd1794949dc25ac6b95555c083100a21f
                                  • Instruction ID: 2f6489c262a587cad11f151929852f99d9587c2a6f44e0a660951fc9229c4b89
                                  • Opcode Fuzzy Hash: 532d8e3ab3c1046f2ed5abf0160f1bbbd1794949dc25ac6b95555c083100a21f
                                  • Instruction Fuzzy Hash: 740142144A9515AEC6D137F09807B6C65AB6F76315FF96B9CF108270E39E209500CB3F
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 425 67c28c-67c2b7 CreateFileW 426 67c3ed-67c3f3 425->426 427 67c2bd-67c2d6 425->427 428 67c2dc-67c2ee call 6717ac 427->428 431 67c2f5-67c318 WriteFile 428->431 432 67c32c-67c351 WriteFile 431->432 433 67c31a-67c329 431->433 434 67c365-67c388 WriteFile 432->434 435 67c353-67c362 432->435 437 67c39c-67c3c1 WriteFile 434->437 438 67c38a-67c399 434->438 440 67c3d5-67c3e2 437->440 441 67c3c3-67c3d2 437->441 440->431 443 67c3e8 440->443 443->428
                                  APIs
                                  • CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,00000000), ref: 0067C2AA
                                  • WriteFile.KERNELBASE(000000FF,?,00000001,00000000,00000000,00696000,?,?,?,00000000), ref: 0067C30B
                                  • WriteFile.KERNELBASE(000000FF,?,00000001,00000000,00000000,?,?,00000000), ref: 0067C344
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Write$Create
                                  • String ID:
                                  • API String ID: 1602526932-0
                                  • Opcode ID: 7454e27e453b7e3c6ab69eacf4caee9523f43b79fd8dd583e420b1edeff98212
                                  • Instruction ID: 60140d3533392ccfc86f08fe1e00a8a0b0b3362aa9edc88f325f0b0052f1b46a
                                  • Opcode Fuzzy Hash: 7454e27e453b7e3c6ab69eacf4caee9523f43b79fd8dd583e420b1edeff98212
                                  • Instruction Fuzzy Hash: 87413C31A0060CFFDB01DF94EC45BEEFBBAEB44322F5081A6E605A2291D3715A54DB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 531 67c19c-67c1b1 532 67c1b3 531->532 533 67c1b8-67c1c9 call 676934 531->533 534 67c283-67c287 532->534 537 67c1d0-67c1de GetFileAttributesW 533->537 538 67c1cb 533->538 539 67c1e0-67c1fa call 6716c0 537->539 540 67c1fc-67c21c call 6716c0 537->540 538->534 547 67c21f-67c223 539->547 540->547 549 67c225-67c23c call 67c28c call 67686c 547->549 550 67c23e-67c244 547->550 549->534 552 67c246-67c249 call 67c28c 550->552 553 67c255-67c260 GetFileAttributesW 550->553 561 67c24e-67c253 552->561 556 67c262-67c26c call 67686c 553->556 557 67c26e-67c27e CopyFileW call 67686c 553->557 556->552 557->534 561->534
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 24a6bc900c908cbcebe62b761031855981e838c9b0a0d648f69f3580cf696eaa
                                  • Instruction ID: 10f1fdd2992b48980ba80696181cb8f6f8bdea40b2481b2a9bc08eb63608f177
                                  • Opcode Fuzzy Hash: 24a6bc900c908cbcebe62b761031855981e838c9b0a0d648f69f3580cf696eaa
                                  • Instruction Fuzzy Hash: 6821D630804508EFDF52AFA4DD46B9C7BB7AB05325F2091AAF51A69172C7720F60BB06
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 564 67a488-67a4c6 CreateThread 565 67a524-67a52a 564->565 566 67a4c8-67a4cc 564->566 567 67a4ce-67a4d4 call 67b3c0 566->567 568 67a4fa-67a51b ResumeThread GetExitCodeThread 566->568 571 67a4d9-67a4db 567->571 568->565 571->568 572 67a4dd-67a4f7 571->572
                                  APIs
                                  • CreateThread.KERNELBASE(00000000,00000000,0067A470,?,00000004,00000000), ref: 0067A4B9
                                  • ResumeThread.KERNELBASE(00000000), ref: 0067A4FD
                                  • GetExitCodeThread.KERNELBASE(00000000,00000000), ref: 0067A515
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Thread$CodeCreateExitResume
                                  • String ID:
                                  • API String ID: 4070214711-0
                                  • Opcode ID: f13aa20acab06588081760188d7f75d922672e9364763f4acafc6cfc44a3d0d5
                                  • Instruction ID: 9401e93659d79e1cc01a696a6ea0be83988a4ddaac2ec9b041fc25424b327af4
                                  • Opcode Fuzzy Hash: f13aa20acab06588081760188d7f75d922672e9364763f4acafc6cfc44a3d0d5
                                  • Instruction Fuzzy Hash: 3A11E371900208FFDF11DF94DD09B9DBBBAFB04312F2091A6F916A62A0D7725A90EB41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 575 67a1c0-67a1f1 CreateThread 576 67a1f3-67a1f7 575->576 577 67a24f-67a255 575->577 578 67a225-67a246 ResumeThread GetExitCodeThread 576->578 579 67a1f9-67a1ff call 67b3c0 576->579 578->577 582 67a204-67a206 579->582 582->578 583 67a208-67a222 582->583
                                  APIs
                                  • CreateThread.KERNELBASE(00000000,00000000,0067A1B0,?,00000004,00000000), ref: 0067A1E4
                                  • ResumeThread.KERNELBASE(00000000), ref: 0067A228
                                  • GetExitCodeThread.KERNELBASE(00000000,00000000), ref: 0067A240
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Thread$CodeCreateExitResume
                                  • String ID:
                                  • API String ID: 4070214711-0
                                  • Opcode ID: 40b58a3f1d335ba67047fdd3010355515d7e447a8b6aa734418967151d11da27
                                  • Instruction ID: 4d20d67d75a1fed8b63ce68518eeba2814956ee1dde262fde9a803c4e1b45017
                                  • Opcode Fuzzy Hash: 40b58a3f1d335ba67047fdd3010355515d7e447a8b6aa734418967151d11da27
                                  • Instruction Fuzzy Hash: 5411F331940208FFDF129F90DD0AB9CBB7AEB04712F208196F915A66E0E7725B64EB45
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • CoInitialize.OLE32(00000000), ref: 00677853
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Initialize
                                  • String ID: @
                                  • API String ID: 2538663250-2766056989
                                  • Opcode ID: 31127d3809ea3f17227511122345dc9e985c04edfe4a6e83557832b067e0b622
                                  • Instruction ID: 012d840499613b83e956a1fcf888706a4805641322ea4af4ff16856101d4101e
                                  • Opcode Fuzzy Hash: 31127d3809ea3f17227511122345dc9e985c04edfe4a6e83557832b067e0b622
                                  • Instruction Fuzzy Hash: 16D108B490030AEFDB10CF90D888F9ABB79BF04700F158195E519AF2A2D779DA84CF65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • SetThreadPriority.KERNELBASE(000000FE,00000002), ref: 0067DE89
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: PriorityThread
                                  • String ID:
                                  • API String ID: 2383925036-0
                                  • Opcode ID: f03bfc1581ecd91f0b13de2aec176d6cfff9caa7049e9b7e09ff400f1905462e
                                  • Instruction ID: 1984ab8929c06233b39fbf7c39b8d947e25eeb5b98ae57e43d4743af84569820
                                  • Opcode Fuzzy Hash: f03bfc1581ecd91f0b13de2aec176d6cfff9caa7049e9b7e09ff400f1905462e
                                  • Instruction Fuzzy Hash: B2A19E71500604EFDF128F50CCC9BEA3BBEEF08314F6092A2E90AC9296D7759A49CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • RtlCreateHeap.NTDLL(00041002,00000000,00000000,00000000,00000000,00000000,E80C4717,?,?,00689487), ref: 006763C5
                                    • Part of subcall function 0067B444: NtSetInformationThread.NTDLL(00000000,?,00000000,00000000,?,00676541,00000000,0069586C,00676390,00000000,00000000,00695858,00676378,00000000,00000000,0069584C), ref: 0067B465
                                    • Part of subcall function 0067B470: NtProtectVirtualMemory.NTDLL(000000FF,00000000,00000020,00000040,?,9870B143), ref: 0067B4B1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateHeapInformationMemoryProtectThreadVirtual
                                  • String ID:
                                  • API String ID: 2986011945-0
                                  • Opcode ID: ace528db1d6e6d365ab41fe3508916645a20a7e8c30e443293bc6a8db0a423aa
                                  • Instruction ID: a5da79ba86c7747f0d916688a7997c1d40eebaca4456b64319b1cfb4e3cdefb9
                                  • Opcode Fuzzy Hash: ace528db1d6e6d365ab41fe3508916645a20a7e8c30e443293bc6a8db0a423aa
                                  • Instruction Fuzzy Hash: E631AA20381FB07898F132B68C0FE8F1D5F8DD2F61BD28198B41EA5586C9D06901C6BD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000004), ref: 00677CBF
                                    • Part of subcall function 00676844: RtlAllocateHeap.NTDLL(?,00000008,00000000,?,00687764,?,00000000,00000000), ref: 00676860
                                    • Part of subcall function 0067DC60: NtTerminateProcess.NTDLL(00677DB8,00000000), ref: 0067DCC3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeapManagerOpenProcessTerminate
                                  • String ID:
                                  • API String ID: 3645570960-0
                                  • Opcode ID: 09e528d696d8afc595de9143b275f49e0e5c77456e2d5ad34f620171b30de33a
                                  • Instruction ID: 28ea291edc47eb27bfd1fbf5af8c348070e53f4c961933ca84351fd05347f75d
                                  • Opcode Fuzzy Hash: 09e528d696d8afc595de9143b275f49e0e5c77456e2d5ad34f620171b30de33a
                                  • Instruction Fuzzy Hash: C041F571940208FBEF229F90DC0ABEDBBBAAF08705F508066F605B61E0D7B15A94DF55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                    • Part of subcall function 00675C24: FindFirstFileW.KERNELBASE(?,?,?,00000004,?), ref: 00675CF7
                                    • Part of subcall function 00675C24: FindClose.KERNELBASE(000000FF,?,00000000), ref: 00675D1C
                                  • RtlAllocateHeap.NTDLL(?,00000000,00000010,00000000,00000000,00000000,00000000,?,?,00676408,0069540C,00675EE8,00000000,00000000,7E631824), ref: 00675DE4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$AllocateCloseFileFirstHeap
                                  • String ID:
                                  • API String ID: 1673784098-0
                                  • Opcode ID: 6aa6ab6f3a8d40e69fdb75059b62d8e3266041796467851bdc4e4ca92ca89f1e
                                  • Instruction ID: 2af491f668f5f0ebc0d742e7a7da8aad13f28e024336958d746d4d4ad8f2625d
                                  • Opcode Fuzzy Hash: 6aa6ab6f3a8d40e69fdb75059b62d8e3266041796467851bdc4e4ca92ca89f1e
                                  • Instruction Fuzzy Hash: E631D2356147029ED720CF288880755FA96BF41311F58C7EAE10E8F293EAE1C880CB9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                    • Part of subcall function 0067903C: RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000000), ref: 0067905E
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 006791AF
                                    • Part of subcall function 0067DC60: NtTerminateProcess.NTDLL(00677DB8,00000000), ref: 0067DCC3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AdjustCloseHandlePrivilegeProcessServiceTerminate
                                  • String ID:
                                  • API String ID: 3176663195-0
                                  • Opcode ID: c03f2ef4040c6c850da7faede49cb598418e9dc9da6a9a206f8c4acbfc19715c
                                  • Instruction ID: 27080cce58fe411115cff6f28af7fa514b792975d0947fe1293d5cbd2d59d8cc
                                  • Opcode Fuzzy Hash: c03f2ef4040c6c850da7faede49cb598418e9dc9da6a9a206f8c4acbfc19715c
                                  • Instruction Fuzzy Hash: 90312870940209EFEB119FA0DC0DBDDBBBAEF04705F808065E609AA2E0D7759A94CB21
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                    • Part of subcall function 006797D8: NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 00679805
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000001,7DDDCD9C), ref: 00678DE6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InformationManagerOpenQuerySystem
                                  • String ID:
                                  • API String ID: 1910025873-0
                                  • Opcode ID: a9c032dafda65cc2bc71cef961ef66c150e80d7926d4ece9732ef4262e5bcf91
                                  • Instruction ID: 876e42a8f2b9c8314c3864f7274e69fe376024295d7220f2ffcff030ccb28bcc
                                  • Opcode Fuzzy Hash: a9c032dafda65cc2bc71cef961ef66c150e80d7926d4ece9732ef4262e5bcf91
                                  • Instruction Fuzzy Hash: C8311C70940608EFDB11CF90CD4DBADBBBAEF04705F6480A5E506AB2A1DBB58E45CF52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2f2dd366ddda8fdf84bcfa052a537acb4337ea87eafeda373872c4f42b53b47f
                                  • Instruction ID: b42f649fb63cfe054c2720c26dc24a54809a2e9c9e2db1c923f85504b8df54d5
                                  • Opcode Fuzzy Hash: 2f2dd366ddda8fdf84bcfa052a537acb4337ea87eafeda373872c4f42b53b47f
                                  • Instruction Fuzzy Hash: E2216730951608EFEF119F94DC05BEDBBB2FF05705F5080B9F909AA2A1E7314A90EB49
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000000), ref: 0067905E
                                    • Part of subcall function 006797D8: NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 00679805
                                    • Part of subcall function 00679880: NtClose.NTDLL(00000000), ref: 00679971
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AdjustCloseInformationPrivilegeQuerySystem
                                  • String ID:
                                  • API String ID: 327775174-0
                                  • Opcode ID: 746919490e9be2476e579cde565d071c6eb616cad21c6171ab9dd2709a8da28f
                                  • Instruction ID: 5861977d744a689acf34891baca6402ecdbf27876bbf5f52c63d048b840b8e5d
                                  • Opcode Fuzzy Hash: 746919490e9be2476e579cde565d071c6eb616cad21c6171ab9dd2709a8da28f
                                  • Instruction Fuzzy Hash: B8016770910308BFEF609FA4CC4DFDD7AF9DB00715F108199B505A62D0E7B54A84C7A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • RtlAdjustPrivilege.NTDLL(00000000,00000001,00000000,?), ref: 0067B727
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AdjustPrivilege
                                  • String ID:
                                  • API String ID: 3260937286-0
                                  • Opcode ID: 087f5727b9378765cf2c9ca5c56b0a1738b1c990181673c4d4423f1c31f92768
                                  • Instruction ID: 331d7150440304991fa24e69eec1d867b4408f2d96adba4d27e8858aba7d6e02
                                  • Opcode Fuzzy Hash: 087f5727b9378765cf2c9ca5c56b0a1738b1c990181673c4d4423f1c31f92768
                                  • Instruction Fuzzy Hash: 7FD02B3110410966CB3856542C01BF233AFC7C0721F102312AD0BDB1D0FB52694503E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • RtlReAllocateHeap.NTDLL(?,00000008,?,00000400,?,00679825,?,00000400), ref: 006768B3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 0a15e358cf6b885af21e9fb8ac1fe3d38a8e9ddc6a549b499fbe4c9ec7488b43
                                  • Instruction ID: 72ff0eaa53cc7ca765d0946c952a5713e485b9179f04ec418a637ee0d6220646
                                  • Opcode Fuzzy Hash: 0a15e358cf6b885af21e9fb8ac1fe3d38a8e9ddc6a549b499fbe4c9ec7488b43
                                  • Instruction Fuzzy Hash: 0CD0A731040704AFCB815F58DC05FCA372ABB10700F40C011FA484E461CB31D460DB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • RtlFreeHeap.NTDLL(?,00000000,00000000,?,006877F4,00000000), ref: 00676888
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID:
                                  • API String ID: 3298025750-0
                                  • Opcode ID: cee57e1491dd779152ab327aed0c0f530248fd1a34ea42a230a4c9484b65fa66
                                  • Instruction ID: 14740d4e211408b593377703a4dee4f8eaef890513c71b397cf0e1ebb55366f9
                                  • Opcode Fuzzy Hash: cee57e1491dd779152ab327aed0c0f530248fd1a34ea42a230a4c9484b65fa66
                                  • Instruction Fuzzy Hash: A8D012311507049FC7559F58E805FD6376EAB14704F854016B74D8B1B1CB75D890DB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • RtlAllocateHeap.NTDLL(?,00000008,00000000,?,00687764,?,00000000,00000000), ref: 00676860
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 272c149c3b4f64fe331ad73606dd64267179331e64a3e46346804ebdacd5d32f
                                  • Instruction ID: 05f705ecd8881f9caa33491f0c45200b38aec5c4afba3a8783642394cf9cdfe7
                                  • Opcode Fuzzy Hash: 272c149c3b4f64fe331ad73606dd64267179331e64a3e46346804ebdacd5d32f
                                  • Instruction Fuzzy Hash: D1D02230040B049FC3809F58E805FC6372EAB20702F408015B34D4F062CB31D8E0DBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • CheckTokenMembership.KERNELBASE(00000000,0067B4CC,?), ref: 0067B4ED
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CheckMembershipToken
                                  • String ID:
                                  • API String ID: 1351025785-0
                                  • Opcode ID: 5dcb0b64efb0557196ce2f605c9fe3b9622bb1197e53b4ddd4a989032e9db75b
                                  • Instruction ID: 0878c6c582e302a90b58877ba08b7513cd11baee5554c5194284a5376107ee01
                                  • Opcode Fuzzy Hash: 5dcb0b64efb0557196ce2f605c9fe3b9622bb1197e53b4ddd4a989032e9db75b
                                  • Instruction Fuzzy Hash: 10C01234A4420CABD610DA94AC46BAAB3AC9B04A21F501391AD1C922D2EBA16F1486D2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • GetLogicalDriveStringsW.KERNELBASE(?,?), ref: 0067A47B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DriveLogicalStrings
                                  • String ID:
                                  • API String ID: 2022863570-0
                                  • Opcode ID: cc72e73bdb5aeaa625490fa8700d7b017eaa175e6767f909920c863a00dffbab
                                  • Instruction ID: 42c892b803b85d5de1950e39e57695e6f82c7152b02fe0dff81732f5c5e0f39d
                                  • Opcode Fuzzy Hash: cc72e73bdb5aeaa625490fa8700d7b017eaa175e6767f909920c863a00dffbab
                                  • Instruction Fuzzy Hash: 8FC09236000308EF8B029F88ED48C85BFEEEB187007058062F6094B532CB32E820EB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • GetDriveTypeW.KERNELBASE(?), ref: 0067A1B6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DriveType
                                  • String ID:
                                  • API String ID: 338552980-0
                                  • Opcode ID: 44f9801d2e5c310c2f4630eaa690a52f06bc4b7c3138d320f8c5a02e8e90cbb8
                                  • Instruction ID: 757d9244519551eda61fa236e61432dcd9fdd8869d94d221450291344db379a2
                                  • Opcode Fuzzy Hash: 44f9801d2e5c310c2f4630eaa690a52f06bc4b7c3138d320f8c5a02e8e90cbb8
                                  • Instruction Fuzzy Hash: 01B0123100020CA787015F41EC048857F5ED7102617004022F5050042187325461D694
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • CoInitialize.OLE32(00000000), ref: 00677853
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Initialize
                                  • String ID:
                                  • API String ID: 2538663250-0
                                  • Opcode ID: 118a26a3e28e7a4d3130c760430f9acc9d2580282dada84b2ea94119cff7bfec
                                  • Instruction ID: 10968adabb3f6cd4aa65d6cfaea58a991994ecd0c92520d8a27d1db362d20fa9
                                  • Opcode Fuzzy Hash: 118a26a3e28e7a4d3130c760430f9acc9d2580282dada84b2ea94119cff7bfec
                                  • Instruction Fuzzy Hash: 2481F2B8810306DFCB50DF50D988B89BB79BF05354F16C19995186F362C37ADA84CFA6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7ea34aedcce2fe762d67214f05cc5e75d65e9bfe89a06d48444e68c74d9846b2
                                  • Instruction ID: 65c79a84bc6c5abd69a6f1ecb1e80d37a4a41065037e87b569a9ca426b4834aa
                                  • Opcode Fuzzy Hash: 7ea34aedcce2fe762d67214f05cc5e75d65e9bfe89a06d48444e68c74d9846b2
                                  • Instruction Fuzzy Hash: 43E14D7AA60E128BD72DCF19E8C4625B3A3FB89340F09C538C61987B55C735F960DB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5ae1b344ce7eabeca7d5a0e2004a9b7e15b356c338447e056007cc76e97bc746
                                  • Instruction ID: df9e30a6dbe5a69c9af5285db50a36ca3e00201fe9b855f2c041dc895eebf9a3
                                  • Opcode Fuzzy Hash: 5ae1b344ce7eabeca7d5a0e2004a9b7e15b356c338447e056007cc76e97bc746
                                  • Instruction Fuzzy Hash: 93D1E4719083818FC790CF29C58065AF7E1FFD8358F549A1EE9D9D3211E770EA998B82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 47c04db8dffedc22e3cc7745aeacabd354cb20dda26e72376e462c76fd8970a8
                                  • Instruction ID: 1e1337cfc3531e4178aaac4b3b850364df3816f4192070e92698c79755a10bcf
                                  • Opcode Fuzzy Hash: 47c04db8dffedc22e3cc7745aeacabd354cb20dda26e72376e462c76fd8970a8
                                  • Instruction Fuzzy Hash: 3FD1307AE60A4B8BDB18CF58ECD0A7AB3B3FB98340F098538C71597755C634AA50DB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 42965ac9b2bb0d3fcae554e968a6e5568d39f63cf205f3f0fad1c6297af4a888
                                  • Instruction ID: 1c17ddcdd3c5a8184a119c3f3e8c0c8a73e5dc8befc436b3e6bdc9684f2e5775
                                  • Opcode Fuzzy Hash: 42965ac9b2bb0d3fcae554e968a6e5568d39f63cf205f3f0fad1c6297af4a888
                                  • Instruction Fuzzy Hash: E0311722FC69074EFF71E058864D7F6A207E3107A2DEDD1A3C56E93742DC160E839696
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e477809b1a115981068a3b6b0f382a67157d42569821d5d8c5dbd511d95a568c
                                  • Instruction ID: b6f69e1c9d1e6f911ce0e688dc8937522095e55990803cc7214c95d8f95d968c
                                  • Opcode Fuzzy Hash: e477809b1a115981068a3b6b0f382a67157d42569821d5d8c5dbd511d95a568c
                                  • Instruction Fuzzy Hash: 39311876A11A069BC328CF1AD888965F7F2FF9D310B15CA29D96D87B51D730F990CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068502314.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                  • Associated: 00000000.00000002.2068462624.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068661440.000000000068A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068732522.000000000068B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068806670.0000000000694000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068904072.0000000000696000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2069016400.0000000000697000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_670000_Rcqcps3y45.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6e9e9d037a559c25274071be2e09c2d3cf2f15b9f66fb5d997d9d64617e40bf4
                                  • Instruction ID: 7ad73d138e2c6059759b0ee0e6c00cc7aaa7d1571c820bee2d33f9ae0c98077e
                                  • Opcode Fuzzy Hash: 6e9e9d037a559c25274071be2e09c2d3cf2f15b9f66fb5d997d9d64617e40bf4
                                  • Instruction Fuzzy Hash: C5E04FBB20D3425FF928951574533E78387C380675E25849FE456DF2C0EF1BE8A52049
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:32.4%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:1.3%
                                  Total number of Nodes:160
                                  Total number of Limit Nodes:1
                                  execution_graph 890 403983 893 40389c 890->893 902 402a78 893->902 897 403903 932 4022dc 897->932 938 4028ba 902->938 904 402a9e 904->897 907 4026c0 904->907 905 402af0 CreateMutexW 905->904 952 4024f8 907->952 909 402729 909->897 913 402f18 909->913 910 4026e7 CreateFileW 910->909 911 40270b ReadFile 910->911 911->909 914 402f2e 913->914 914->914 956 40227c FindFirstFileExW 914->956 915 402f67 CreateFileW 917 402f57 915->917 920 402faf 915->920 916 402faa 919 4030c5 NtFreeVirtualMemory 916->919 921 4030ed 916->921 917->915 917->916 918 402fb4 NtAllocateVirtualMemory 918->920 927 402fe8 918->927 919->916 920->918 920->927 922 4030f3 NtClose 921->922 923 4030ff 921->923 922->923 958 402e10 923->958 925 40311f 925->897 926 40304b WriteFile 926->927 928 403068 SetFilePointerEx 926->928 927->916 927->926 929 403095 SetFilePointerEx 927->929 928->926 928->927 929->927 933 402303 932->933 934 402335 GetShortPathNameW 933->934 935 402330 27 API calls 933->935 934->935 936 40235e 934->936 936->935 937 40246d ShellExecuteW 936->937 937->935 939 4028dd 938->939 942 402760 CreateFileW 939->942 943 4027da 942->943 944 402797 942->944 945 402802 943->945 946 4027f6 NtClose 943->946 944->943 950 4020bc 944->950 945->904 945->905 946->945 947 4027b7 947->943 948 4027c0 ReadFile 947->948 948->943 951 4020c8 RtlAllocateHeap 950->951 951->947 953 402512 952->953 955 402760 4 API calls 953->955 954 402522 954->909 954->910 955->954 957 4022af 956->957 957->917 960 402e2e 958->960 959 402e37 DeleteFileW 959->925 960->959 960->960 961 402e7c MoveFileExW 960->961 961->959 961->960 962 403956 963 403963 962->963 964 403976 962->964 971 4019d4 963->971 1009 4016b4 971->1009 974 4016b4 9 API calls 975 4019f4 974->975 976 4016b4 9 API calls 975->976 977 401a05 976->977 978 4016b4 9 API calls 977->978 979 401a16 978->979 980 4016b4 9 API calls 979->980 981 401a27 980->981 982 4016b4 9 API calls 981->982 983 401a38 982->983 984 401b70 RtlCreateHeap 983->984 985 401ba6 RtlCreateHeap 984->985 995 401ba1 984->995 986 401bcb 985->986 985->995 986->995 1057 401a40 986->1057 988 401c03 989 401a40 RtlAllocateHeap 988->989 988->995 990 401c59 989->990 991 401a40 RtlAllocateHeap 990->991 990->995 992 401caf 991->992 993 401a40 RtlAllocateHeap 992->993 992->995 994 401d05 993->994 994->995 996 401a40 RtlAllocateHeap 994->996 1001 402812 995->1001 1005 402836 995->1005 997 401d55 996->997 997->995 1062 401d94 997->1062 998 401d7a 1065 401dc2 998->1065 1002 402836 1001->1002 1003 402850 RtlAdjustPrivilege 1002->1003 1004 40284e 1002->1004 1003->1002 1003->1004 1004->964 1006 402849 1005->1006 1007 402850 RtlAdjustPrivilege 1006->1007 1008 40284e 1006->1008 1007->1006 1007->1008 1008->964 1010 40176f 1009->1010 1011 4016cf 1009->1011 1010->974 1012 4016f5 NtAllocateVirtualMemory 1011->1012 1035 401000 1011->1035 1012->1010 1014 40172f NtAllocateVirtualMemory 1012->1014 1014->1010 1016 401752 1014->1016 1020 40152c 1016->1020 1018 40175f 1018->1010 1019 401000 3 API calls 1018->1019 1019->1018 1021 401540 1020->1021 1022 401558 1020->1022 1023 401000 3 API calls 1021->1023 1024 401000 3 API calls 1022->1024 1025 40157e 1022->1025 1023->1022 1024->1025 1026 401000 3 API calls 1025->1026 1029 4015a4 1025->1029 1026->1029 1027 4015ed FindFirstFileExW 1027->1029 1028 40166c 1028->1018 1029->1027 1029->1028 1030 401649 FindNextFileW 1029->1030 1031 40162a FindClose 1029->1031 1030->1029 1033 40165d FindClose 1030->1033 1043 401474 1031->1043 1033->1029 1034 401641 1034->1018 1036 401012 1035->1036 1037 40102a 1035->1037 1038 401000 3 API calls 1036->1038 1039 401000 3 API calls 1037->1039 1040 401050 1037->1040 1038->1037 1039->1040 1041 4010fb 1040->1041 1046 401394 1040->1046 1041->1012 1044 40148a 1043->1044 1045 4014b8 LdrLoadDll 1044->1045 1045->1034 1047 4013ee 1046->1047 1048 4013be 1046->1048 1047->1041 1048->1047 1049 401474 LdrLoadDll 1048->1049 1050 4013d2 1049->1050 1050->1047 1050->1050 1052 4014d8 1050->1052 1053 4014ee 1052->1053 1054 40150f LdrGetProcedureAddress 1052->1054 1056 4014fa LdrGetProcedureAddress 1053->1056 1055 401521 1054->1055 1055->1047 1056->1055 1058 401a5d RtlAllocateHeap 1057->1058 1059 401a79 1058->1059 1060 401a85 1058->1060 1059->988 1060->1058 1061 401b5b 1060->1061 1061->988 1063 401da8 NtSetInformationThread 1062->1063 1063->998 1066 401de9 1065->1066 1067 401e12 1066->1067 1068 401df2 NtProtectVirtualMemory 1066->1068 1067->995 1068->1067 1083 402126 1084 402141 1083->1084 1085 4020bc RtlAllocateHeap 1084->1085 1086 402158 1084->1086 1085->1086 1069 4019b7 1070 4019e0 1069->1070 1071 4016b4 9 API calls 1069->1071 1072 4016b4 9 API calls 1070->1072 1071->1070 1073 4019f4 1072->1073 1074 4016b4 9 API calls 1073->1074 1075 401a05 1074->1075 1076 4016b4 9 API calls 1075->1076 1077 401a16 1076->1077 1078 4016b4 9 API calls 1077->1078 1079 401a27 1078->1079 1080 4016b4 9 API calls 1079->1080 1081 401a38 1080->1081 1082 40286c NtSetInformationProcess NtSetInformationProcess NtSetInformationProcess

                                  Callgraph

                                  • Executed
                                  • Not Executed
                                  • Opacity -> Relevance
                                  • Disassembly available
                                  callgraph 0 Function_004026C0 38 Function_004024F8 0->38 1 Function_00401A40 39 Function_00401E78 1->39 2 Function_00401DC2 3 Function_004024C2 4 Function_00402B44 5 Function_00403144 6 Function_00401FC8 7 Function_00401F4C 8 Function_0040204C 9 Function_00402B50 10 Function_00401350 71 Function_00401130 10->71 11 Function_00402ED0 12 Function_004024D4 13 Function_004019D4 76 Function_004016B4 13->76 14 Function_00403956 14->13 33 Function_00401B70 14->33 54 Function_00402812 14->54 78 Function_00402836 14->78 15 Function_00403258 16 Function_004014D8 81 Function_00401438 16->81 17 Function_00401FDB 18 Function_004022DC 19 Function_0040205C 20 Function_00401F5C 21 Function_004020DE 22 Function_00402760 83 Function_004020BC 22->83 23 Function_004031E0 24 Function_00402264 25 Function_00401EE4 26 Function_004032E4 27 Function_004032E8 28 Function_00401868 29 Function_0040286C 30 Function_00401F6C 31 Function_00401B6E 32 Function_00401FEF 33->1 33->2 55 Function_00401D94 33->55 34 Function_00401472 35 Function_00401474 41 Function_004013F8 35->41 36 Function_004013F6 37 Function_00402A78 82 Function_004028BA 37->82 38->22 62 Function_00401E28 39->62 40 Function_00403478 42 Function_0040227C 43 Function_0040217C 44 Function_00402BFC 45 Function_00401000 45->7 45->10 45->25 45->45 56 Function_00401394 45->56 73 Function_00401EB0 45->73 46 Function_00402D80 47 Function_00403983 60 Function_0040389C 47->60 48 Function_00402003 49 Function_00402104 50 Function_00402C88 51 Function_00402E10 52 Function_00401190 52->71 53 Function_00401911 56->16 56->35 57 Function_00402017 58 Function_00402F18 58->42 58->51 59 Function_00401F9A 60->0 60->18 60->37 60->58 61 Function_00402126 61->83 63 Function_00402DA8 64 Function_0040152A 65 Function_0040202A 66 Function_0040152C 66->19 66->25 66->35 66->45 67 Function_00401F2C 66->67 68 Function_004018AD 69 Function_0040362E 70 Function_00401EAE 72 Function_00403230 74 Function_00401FB1 75 Function_004016B2 76->39 76->45 76->66 77 Function_00402234 79 Function_00401436 80 Function_004019B7 80->76 82->22 84 Function_00401A3E

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2073197740.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000002.00000002.2073163515.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073223216.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073296034.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073326034.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_400000_CBE8.jbxd
                                  Similarity
                                  • API ID: Text$Color$CreateWindow$Proc$CommandFontFreeHandleLibraryLineLoadMenuModule$AddressBitmapCharsetErrorExitInfoLastLocaleObjectProcessSelect
                                  • String ID:
                                  • API String ID: 3548022523-0
                                  • Opcode ID: 75a7f395dfd15dd6a7f12e7587c497a330da91454d241e242464d6c2316bf13f
                                  • Instruction ID: 44f13d8dc4ada08d969f55db554330e9d88bd117b0c18836a0928b418f5903af
                                  • Opcode Fuzzy Hash: 75a7f395dfd15dd6a7f12e7587c497a330da91454d241e242464d6c2316bf13f
                                  • Instruction Fuzzy Hash: 89F0B724B651416AC500BFFB9947A0D6E2C6E8472BB50657EB0C1344E74D3C87009EAF
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3 402f18-402f2b 4 402f2e-402f33 3->4 4->4 5 402f35-402f5b call 40227c 4->5 7 402f67-402f8c CreateFileW 5->7 8 402f5d-402f61 5->8 9 402f8e-402f96 7->9 10 402faf-402fb1 7->10 8->7 11 4030bb-4030bd 8->11 12 402f98-402fa6 9->12 13 402faa 9->13 14 402fb4-402fe0 NtAllocateVirtualMemory 10->14 15 4030c0-4030c3 11->15 12->13 27 402fa8 12->27 13->11 16 402fe2-402fed 14->16 17 402fe8 14->17 18 4030c5-4030e4 NtFreeVirtualMemory 15->18 19 4030e7-4030eb 15->19 28 403000-403003 16->28 29 402fef-402ffe 16->29 22 40301b-403020 17->22 18->19 19->15 23 4030ed-4030f1 19->23 26 403023-40302e 22->26 24 4030f3-4030fc NtClose 23->24 25 4030ff-40311d call 402e10 DeleteFileW 23->25 24->25 36 403126-40312a 25->36 37 40311f 25->37 30 403030-40303a 26->30 31 40303c 26->31 27->7 32 403015-403019 28->32 33 403005-403010 28->33 29->32 35 403041-403048 30->35 31->35 32->14 32->22 33->32 38 40304b-403064 WriteFile 35->38 39 403138-403141 36->39 40 40312c-403132 36->40 37->36 41 403066 38->41 42 403068-403088 SetFilePointerEx 38->42 40->39 43 40308a-403091 41->43 42->38 42->43 44 403093 43->44 45 403095-4030b6 SetFilePointerEx 43->45 44->11 45->26
                                  APIs
                                  • CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000003,80000000,00000000), ref: 00402F82
                                  • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00010000,00001000,00000004), ref: 00402FDB
                                  • WriteFile.KERNELBASE(000000FF,00000000,00010000,00010000,00000000), ref: 0040305F
                                  • SetFilePointerEx.KERNELBASE(000000FF,00010000,?,00000000,00000001), ref: 0040307E
                                  • SetFilePointerEx.KERNELBASE(000000FF,00010000,00000000,00000000,00000000,?,00000000,00000001), ref: 004030B3
                                  • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00010000,00008000,?,00000000,00000001), ref: 004030E4
                                  • NtClose.NTDLL(000000FF,?,00000000,00000001), ref: 004030FC
                                  • DeleteFileW.KERNELBASE(?,?,00000000,00000001), ref: 00403118
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2073197740.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000002.00000002.2073163515.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073223216.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073296034.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073326034.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_400000_CBE8.jbxd
                                  Similarity
                                  • API ID: File$MemoryPointerVirtual$AllocateCloseCreateDeleteFreeWrite
                                  • String ID:
                                  • API String ID: 590822095-0
                                  • Opcode ID: 52122dafd602033dbf0aaa267e6343e8fb4df09450a7f36494692c9b8865e816
                                  • Instruction ID: 1b8bdb635f3090c090aca30f1047892238d11e79f8ef36d2dcee79009cce4089
                                  • Opcode Fuzzy Hash: 52122dafd602033dbf0aaa267e6343e8fb4df09450a7f36494692c9b8865e816
                                  • Instruction Fuzzy Hash: ED714871901209AFDB11CF90DD48BEEBB79FB08311F204266E511B62D4D3759E85CF99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  APIs
                                  • FindFirstFileExW.KERNELBASE(C:\Windows\System32\*.dll,00000000,?,00000000,00000000,00000000), ref: 00401601
                                  • FindClose.KERNELBASE(000000FF,?,00000000), ref: 0040162D
                                  • FindNextFileW.KERNELBASE(000000FF,?,?,00000000), ref: 00401653
                                  • FindClose.KERNEL32(000000FF), ref: 00401660
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2073197740.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000002.00000002.2073163515.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073223216.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073296034.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073326034.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_400000_CBE8.jbxd
                                  Similarity
                                  • API ID: Find$CloseFile$FirstNext
                                  • String ID: C:\Windows\System32\*.dll
                                  • API String ID: 1164774033-1305136377
                                  • Opcode ID: bdb8730289e2ca857be386bc3c3ab385330ed8d95a663a52d2d02b9110bb0279
                                  • Instruction ID: b8f602421e8d3e3309feb9384621a56ef9d54da146c7d7394d3b11ea37959a12
                                  • Opcode Fuzzy Hash: bdb8730289e2ca857be386bc3c3ab385330ed8d95a663a52d2d02b9110bb0279
                                  • Instruction Fuzzy Hash: 30418C71900608EFDB20AFA4DD48BAA77B4FB44325F608276E521BE1F0D7794A85DF48
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 82 402760-402795 CreateFileW 83 4027f0-4027f4 82->83 84 402797-4027a9 82->84 85 402802-40280b 83->85 86 4027f6-4027ff NtClose 83->86 84->83 88 4027ab-4027be call 4020bc 84->88 86->85 88->83 90 4027c0-4027d8 ReadFile 88->90 91 4027e4-4027ea 90->91 92 4027da-4027e2 90->92 91->83 92->83
                                  APIs
                                  • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040278B
                                  • ReadFile.KERNELBASE(000000FF,00000000,00000000,00000000,00000000), ref: 004027D3
                                  • NtClose.NTDLL(000000FF), ref: 004027FF
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2073197740.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000002.00000002.2073163515.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073223216.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073296034.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073326034.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_400000_CBE8.jbxd
                                  Similarity
                                  • API ID: File$CloseCreateRead
                                  • String ID:
                                  • API String ID: 1419693385-0
                                  • Opcode ID: da89fd3cbdd23a7ddbe5d8b9f381f279ea58f3e72d3b71a90626c9ff8252170d
                                  • Instruction ID: da411bd40fb0d6d878d2d447c4e829303a7e8bd202b0d35ae7576ead56d2946b
                                  • Opcode Fuzzy Hash: da89fd3cbdd23a7ddbe5d8b9f381f279ea58f3e72d3b71a90626c9ff8252170d
                                  • Instruction Fuzzy Hash: CA211A35601209EBDB10CF94DD89B9EBB75FF08310F2082A5A510AB2E1D7719E51DF94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 94 40286c-4028b9 NtSetInformationProcess * 3
                                  APIs
                                  • NtSetInformationProcess.NTDLL(000000FF,00000021,?,00000004), ref: 00402888
                                  • NtSetInformationProcess.NTDLL(000000FF,00000012,00000000,00000002,?,00000004), ref: 0040289D
                                  • NtSetInformationProcess.NTDLL(000000FF,0000000C,00000000,00000004,?,00000004), ref: 004028B5
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2073197740.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000002.00000002.2073163515.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073223216.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073296034.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073326034.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_400000_CBE8.jbxd
                                  Similarity
                                  • API ID: InformationProcess
                                  • String ID:
                                  • API String ID: 1801817001-0
                                  • Opcode ID: b71ac733508e6e437ba76d930e61bde730921b23b00966883a2217b3d9eaec84
                                  • Instruction ID: 48adbd17ca007e7691ff2066b81a5959555298f4bd9a539b6f325b5cfe831ef7
                                  • Opcode Fuzzy Hash: b71ac733508e6e437ba76d930e61bde730921b23b00966883a2217b3d9eaec84
                                  • Instruction Fuzzy Hash: 2BF0F871141610EBEB15DB84DDC9F9637A8FB09720F2403A1F2319E1E6D3B0A484CF96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 95 401dc2-401df0 97 401e21-401e27 95->97 98 401df2-401e10 NtProtectVirtualMemory 95->98 98->97 99 401e12-401e1f 98->99 99->97
                                  APIs
                                  • NtProtectVirtualMemory.NTDLL(000000FF,00000000,00000020,00000040,?), ref: 00401E0B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2073197740.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000002.00000002.2073163515.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073223216.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073296034.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073326034.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_400000_CBE8.jbxd
                                  Similarity
                                  • API ID: MemoryProtectVirtual
                                  • String ID:
                                  • API String ID: 2706961497-3916222277
                                  • Opcode ID: 743ccc95185ac25335bad8a24ea2ffb6d91b2a6f6c30658889cc31c7cdbad58c
                                  • Instruction ID: 836d3446d31acb3b31e0b6cd8f4ee088cd02c28435d2c0c4ff934eaabbb3754d
                                  • Opcode Fuzzy Hash: 743ccc95185ac25335bad8a24ea2ffb6d91b2a6f6c30658889cc31c7cdbad58c
                                  • Instruction Fuzzy Hash: 72F03176500109ABDB00CF95D988BDFB7BCEB44324F2042A9EA14A72D1D7355E458B94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 180 4016b4-4016c9 181 401859-401862 180->181 182 4016cf-4016d6 180->182 183 4016f5-401729 NtAllocateVirtualMemory 182->183 184 4016d8-4016f0 call 401000 182->184 183->181 186 40172f-40174c NtAllocateVirtualMemory 183->186 184->183 186->181 188 401752-40175a call 40152c 186->188 190 40175f-401761 188->190 190->181 191 401767-40176d 190->191 192 401774-401781 call 401000 191->192 193 40176f 191->193 196 401851-401854 192->196 197 401787-401798 call 401e78 192->197 193->181 196->191 200 4017c9-4017cc 197->200 201 40179a-4017c4 call 401e78 197->201 203 4017fa-4017fd 200->203 204 4017ce-4017f8 call 401e78 200->204 201->196 205 401815-401818 203->205 206 4017ff-401813 203->206 204->196 210 401830-401833 205->210 211 40181a-40182e 205->211 206->196 210->196 212 401835-40184b 210->212 211->196 212->196
                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,?,00103000,00000040), ref: 0040171F
                                  • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000000,00103000,00000004), ref: 00401742
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2073197740.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000002.00000002.2073163515.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073223216.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073296034.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073326034.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_400000_CBE8.jbxd
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: 4a0fb159cb167e270aa132b3f88ebad20637f68d71e3a3db65f788631af4fc76
                                  • Instruction ID: ad4b5e7ce53ce887a57ee0cc443bca07838dd3003dcb7b2c4dfa2ad75add82e8
                                  • Opcode Fuzzy Hash: 4a0fb159cb167e270aa132b3f88ebad20637f68d71e3a3db65f788631af4fc76
                                  • Instruction Fuzzy Hash: E3416031904204DADF10EF58C884B9AB7A4FF05314F14C1BAE919EF2E6D7788A41CB6A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 288 40227c-4022ad FindFirstFileExW 289 4022d2-4022d8 288->289 290 4022af-4022cf 288->290 290->289
                                  APIs
                                  • FindFirstFileExW.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 004022A4
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2073197740.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000002.00000002.2073163515.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073223216.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073296034.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073326034.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_400000_CBE8.jbxd
                                  Similarity
                                  • API ID: FileFindFirst
                                  • String ID:
                                  • API String ID: 1974802433-0
                                  • Opcode ID: cdec62c82a5867c9461e13d27f073131a42764883e1863d73d8ab6d37f0e38bf
                                  • Instruction ID: 55f0629c3eadcc188d8749e42e063c0b49bca1bc4f8f265f590f61ae6da82bee
                                  • Opcode Fuzzy Hash: cdec62c82a5867c9461e13d27f073131a42764883e1863d73d8ab6d37f0e38bf
                                  • Instruction Fuzzy Hash: BBF0C974902608EFDB10DF94CD49B9DFBB4EB48310F2082A5A918AB2A0D7715E91CF84
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • NtSetInformationThread.NTDLL(00000000,?,00000000,00000000), ref: 00401DBB
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2073197740.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000002.00000002.2073163515.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073223216.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073296034.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073326034.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_400000_CBE8.jbxd
                                  Similarity
                                  • API ID: InformationThread
                                  • String ID:
                                  • API String ID: 4046476035-0
                                  • Opcode ID: 2ec57d8305034ae4dcd04f6f280aec29aa5e37325b0f502564d07dd60a6e8475
                                  • Instruction ID: 482b214da63c1bafeb7c1bb62a0bbbc62c262419b9af6fea3894fce228737229
                                  • Opcode Fuzzy Hash: 2ec57d8305034ae4dcd04f6f280aec29aa5e37325b0f502564d07dd60a6e8475
                                  • Instruction Fuzzy Hash: FEE05E329A020DAFD710DB50DC45FBB376DEB55311F508236B5029A1E0D6B8F891DA98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 100 401b70-401b9f RtlCreateHeap 101 401ba1 100->101 102 401ba6-401bc4 RtlCreateHeap 100->102 103 401d8a-401d90 101->103 104 401bc6 102->104 105 401bcb-401be7 102->105 104->103 107 401be9 105->107 108 401bee-401c05 call 401a40 105->108 107->103 111 401c07 108->111 112 401c0c-401c3d 108->112 111->103 115 401c44-401c5b call 401a40 112->115 116 401c3f 112->116 119 401c62-401c93 115->119 120 401c5d 115->120 116->103 123 401c95 119->123 124 401c9a-401cb1 call 401a40 119->124 120->103 123->103 127 401cb3 124->127 128 401cb8-401ce9 124->128 127->103 131 401cf0-401d07 call 401a40 128->131 132 401ceb 128->132 135 401d09 131->135 136 401d0b-401d3c 131->136 132->103 135->103 139 401d40-401d57 call 401a40 136->139 140 401d3e 136->140 143 401d59 139->143 144 401d5b-401d80 call 401d94 call 401dc2 139->144 140->103 143->103 147 401d83 144->147 147->103
                                  APIs
                                  • RtlCreateHeap.NTDLL(00001002,00000000,00000000,00000000,00000000,00000000), ref: 00401B96
                                  • RtlCreateHeap.NTDLL(00041002,00000000,00000000,00000000,00000000,00000000), ref: 00401BBB
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2073197740.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000002.00000002.2073163515.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073223216.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073296034.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073326034.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_400000_CBE8.jbxd
                                  Similarity
                                  • API ID: CreateHeap
                                  • String ID:
                                  • API String ID: 10892065-0
                                  • Opcode ID: 453bda9d08a0096fe53e6a5bcc4a475ef93f8d776735eeddf63228c397926240
                                  • Instruction ID: eac1ce902914894448f3c06d12ced00cbe17960004271ddceb971b2a38276b5e
                                  • Opcode Fuzzy Hash: 453bda9d08a0096fe53e6a5bcc4a475ef93f8d776735eeddf63228c397926240
                                  • Instruction Fuzzy Hash: 34513034A80A04FBD7109B60ED09B5B7770FF18701F2086BAE6117A2F1D775A5859F8D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 150 4022dc-40232e 154 402330 150->154 155 402335-402347 GetShortPathNameW 150->155 156 402483-402487 154->156 157 402349-402359 155->157 158 40235e-402380 155->158 159 402495-402499 156->159 160 402489-40248f 156->160 157->156 168 402382 158->168 169 402387-402425 158->169 163 4024a7-4024ab 159->163 164 40249b-4024a1 159->164 160->159 165 4024b9-4024bf 163->165 166 4024ad-4024b3 163->166 164->163 166->165 168->156 175 402427 169->175 176 402429-402481 ShellExecuteW 169->176 175->156 176->156
                                  APIs
                                  • GetShortPathNameW.KERNELBASE(00000000,00000000,?), ref: 00402340
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2073197740.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000002.00000002.2073163515.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073223216.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073296034.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073326034.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_400000_CBE8.jbxd
                                  Similarity
                                  • API ID: NamePathShort
                                  • String ID:
                                  • API String ID: 1295925010-0
                                  • Opcode ID: a0a4f684a9d9108a63d91a30c19249ae39ae68594d14297edb71c581cb82e24b
                                  • Instruction ID: 5bcac900e59d09c9622bdf940851d370624af246baed8abb1bc217228d1f7e1b
                                  • Opcode Fuzzy Hash: a0a4f684a9d9108a63d91a30c19249ae39ae68594d14297edb71c581cb82e24b
                                  • Instruction Fuzzy Hash: B6514E75900606EFDB00DF90E948B9EFB71FF48301F2082A9E6156B2A1C375AA91DFC5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 213 4026c0-4026e5 call 4024f8 215 402730-402734 213->215 216 4026e7-402709 CreateFileW 213->216 218 402742-402746 215->218 219 402736-40273c 215->219 216->215 217 40270b-402727 ReadFile 216->217 217->215 220 402729 217->220 221 402754-40275a 218->221 222 402748-40274e 218->222 219->218 220->215 222->221
                                  APIs
                                  • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004026FF
                                  • ReadFile.KERNELBASE(000000FF,000000FF,0000021C,?,00000000), ref: 00402722
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2073197740.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000002.00000002.2073163515.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073223216.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073296034.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073326034.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_400000_CBE8.jbxd
                                  Similarity
                                  • API ID: File$CreateRead
                                  • String ID:
                                  • API String ID: 3388366904-0
                                  • Opcode ID: 64d441af2ae5f8cd80c02da2bb5cacaba4a8c0a7bb8fd120945ed4e9a720f5dc
                                  • Instruction ID: dec784d2d3492f4c007a4c80bb83cd8b4abde05e7af7cfb80cb91198c32a9eba
                                  • Opcode Fuzzy Hash: 64d441af2ae5f8cd80c02da2bb5cacaba4a8c0a7bb8fd120945ed4e9a720f5dc
                                  • Instruction Fuzzy Hash: 7511D774910209EFDB10DF94DD48B9FBBB5FB08311F2046A9A524B62E1D7B15A91CF84
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 224 401a40-401a5a 225 401a5d-401a77 RtlAllocateHeap 224->225 226 401a85-401a94 call 401e78 225->226 227 401a79-401a82 225->227 230 401ac5-401ac8 226->230 231 401a96-401ac0 call 401e78 226->231 233 401af6-401af9 230->233 234 401aca-401af4 call 401e78 230->234 239 401b4d-401b55 231->239 237 401b11-401b14 233->237 238 401afb-401b0f 233->238 234->239 241 401b16-401b2a 237->241 242 401b2c-401b2f 237->242 238->239 239->225 243 401b5b-401b6b 239->243 241->239 242->239 244 401b31-401b47 242->244 244->239
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,00000008,00000010), ref: 00401A6D
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2073197740.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000002.00000002.2073163515.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073223216.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073296034.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073326034.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_400000_CBE8.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 3090814481001f51fad53404be7bb9f089635e5ecf5702693e45b6397da5dce2
                                  • Instruction ID: 68c0462a3af62cc3e50a8e225ecc1fff045641083c52707b2e4de1a33f1d8fac
                                  • Opcode Fuzzy Hash: 3090814481001f51fad53404be7bb9f089635e5ecf5702693e45b6397da5dce2
                                  • Instruction Fuzzy Hash: 9F316935A14308DFDB10CF99C488E99F7F1BF24320F15D0AAD508AB2B2D7B59950DB4A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 245 402e10-402e35 247 402e37 245->247 248 402e39-402e4e 245->248 249 402eab-402eb7 247->249 253 402e50 248->253 254 402e52-402e57 248->254 250 402ec5-402eca 249->250 251 402eb9-402ebf 249->251 251->250 253->249 255 402e5c-402e6d 254->255 257 402e70-402e7a 255->257 257->257 258 402e7c-402e8f MoveFileExW 257->258 259 402e91 258->259 260 402e93-402ea9 258->260 259->249 260->249 260->255
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2073197740.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000002.00000002.2073163515.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073223216.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073296034.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073326034.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_400000_CBE8.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2ec2b1c2d5d64686e5e6a52de2e159d7ebe58570cf782c44f0051c3652f2bf9a
                                  • Instruction ID: 64be472d3da9365df722bb42b6a14b0a0006b9682bbf08d732ce7ada7e71b141
                                  • Opcode Fuzzy Hash: 2ec2b1c2d5d64686e5e6a52de2e159d7ebe58570cf782c44f0051c3652f2bf9a
                                  • Instruction Fuzzy Hash: 8A214C71940208EFDB109F90DE49B9ABB71FF18301F2081BAE505AA2E1D3759E91DF89
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 262 402a78-402a9c call 4028ba 264 402aa3-402ac2 262->264 265 402a9e 262->265 270 402ac4-402ad3 264->270 271 402ad5-402ae0 264->271 266 402b28-402b2c 265->266 267 402b3a-402b40 266->267 268 402b2e-402b34 266->268 268->267 270->266 274 402ae2-402ae8 271->274 275 402aea 271->275 276 402af0-402b1f CreateMutexW 274->276 275->276 276->266 277 402b21 276->277 277->266
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2073197740.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000002.00000002.2073163515.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073223216.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073296034.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073326034.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_400000_CBE8.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 76ac4189c2e983f292498be2e35779ead737e5081f8c929ef40d6d428a78efce
                                  • Instruction ID: 5f31ce468cef0475a522e9655e813cee8f96e501922e94d34a843d9ecc1c4f5f
                                  • Opcode Fuzzy Hash: 76ac4189c2e983f292498be2e35779ead737e5081f8c929ef40d6d428a78efce
                                  • Instruction Fuzzy Hash: A921F974901608EFDB00CF90EA8C79EBB71FF08301F6045A9E5017A2A0D7B95A85DF89
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 279 401474-401488 280 40148a-40148d 279->280 281 4014ac-4014b3 call 4013f8 279->281 282 401493-401498 280->282 285 4014b8-4014d2 LdrLoadDll 281->285 282->282 284 40149a-4014aa call 4013f8 282->284 284->285
                                  APIs
                                  • LdrLoadDll.NTDLL(00000000,00000000,00000000,?), ref: 004014C4
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2073197740.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000002.00000002.2073163515.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073223216.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073296034.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073326034.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_400000_CBE8.jbxd
                                  Similarity
                                  • API ID: Load
                                  • String ID:
                                  • API String ID: 2234796835-0
                                  • Opcode ID: cc821bb6490c49b643c0aee4c8a66cc2fb92e167f5171f05bab2522af16bb81c
                                  • Instruction ID: 140de97a3c31e0856ca0b204e221eb1e366fb0b1d4fd9a07ba92ba20ce5f8dd4
                                  • Opcode Fuzzy Hash: cc821bb6490c49b643c0aee4c8a66cc2fb92e167f5171f05bab2522af16bb81c
                                  • Instruction Fuzzy Hash: F7F03C3690020DFADF10EAA4D848FDE77BCEB14314F0041A6E904B7190D238AA099BA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • RtlAdjustPrivilege.NTDLL(?,00000001,00000000,00000000), ref: 00402861
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2073197740.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000002.00000002.2073163515.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073223216.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073296034.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073326034.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_400000_CBE8.jbxd
                                  Similarity
                                  • API ID: AdjustPrivilege
                                  • String ID:
                                  • API String ID: 3260937286-0
                                  • Opcode ID: b838e4be5c385c0dc624d50355c604d381d153ee0a89857c9e86ae645bc67477
                                  • Instruction ID: 70193a9dbc7aa9cd3770003b3bb97339f6e2972f30e24310785a39762e1cef45
                                  • Opcode Fuzzy Hash: b838e4be5c385c0dc624d50355c604d381d153ee0a89857c9e86ae645bc67477
                                  • Instruction Fuzzy Hash: B9E0263251821AABCB20A2189E0CBA7739DD744314F1043B6A805F71D1EAF69A0A87DA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  APIs
                                  • RtlAllocateHeap.NTDLL(?,00000008,?), ref: 004020D7
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2073197740.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000002.00000002.2073163515.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073223216.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073296034.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2073326034.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_400000_CBE8.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 37c2d1e8b064bb17fe79b9677c4ca25dfdae977e826a45f6764b5f2e7935cd48
                                  • Instruction ID: 701e22a529f931561d5ec47da2ef603e250127bb9ab3ab4db12cbc5835053477
                                  • Opcode Fuzzy Hash: 37c2d1e8b064bb17fe79b9677c4ca25dfdae977e826a45f6764b5f2e7935cd48
                                  • Instruction Fuzzy Hash: 05D0C97A140609ABC6009F94E949D87F769FF58711B00C6A1BA045B222C630E890CFD4
                                  Uniqueness

                                  Uniqueness Score: -1.00%